This was reported to the security team, demonstrating that code execution
could be achieved, but without a demonstration of a priviliege boundary being
bypassed.
Still, it's a high risk path with no obvious evidence of having been used even
for debugging, so remove the environment variable and use the build time
$(libdir)/xenfsimage path only.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Anthony PERARD <anthony.perard@vates.tech>
CC: Michal Orzel <michal.orzel@amd.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Julien Grall <julien@xen.org>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Oleksii Kurochko <oleksii.kurochko@gmail.com>
For 4.22. This was supposed to be posted earlier but fell through the cracks.
Given it's borderline-security aspect, we don't want to delay it any further.
---
CHANGELOG.md | 1 +
tools/libfsimage/common/fsimage_plugin.c | 5 +----
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ef4e6ae9c459..0a4e5f013cb1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -63,6 +63,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
- Removed xenpm tool on non-x86 platforms as it doesn't actually provide
anything useful outside of x86.
+ - Removed the XEN_FSIMAGE_FSDIR environment variable.
## [4.21.0](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.21.0) - 2025-11-19
diff --git a/tools/libfsimage/common/fsimage_plugin.c b/tools/libfsimage/common/fsimage_plugin.c
index d0cb9e96a654..539dc247356a 100644
--- a/tools/libfsimage/common/fsimage_plugin.c
+++ b/tools/libfsimage/common/fsimage_plugin.c
@@ -121,7 +121,7 @@ static int init_plugin(const char *lib)
int fsi_init(void)
{
- const char *fsdir = getenv("XEN_FSIMAGE_FSDIR");
+ const char *fsdir = FSIMAGE_FSDIR;
struct dirent *dp = NULL;
DIR *dir = NULL;
char *tmp = NULL;
@@ -129,9 +129,6 @@ int fsi_init(void)
int err;
int ret = -1;
- if (fsdir == NULL)
- fsdir = FSIMAGE_FSDIR;
-
if ((name_max = pathconf(fsdir, _PC_NAME_MAX)) == -1)
goto fail;
base-commit: ad9f564a5d840389cbf1b230086e1dd8257d8820
--
2.39.5
On Thu, Jul 02, 2026 at 04:03:01PM +0100, Andrew Cooper wrote: > This was reported to the security team, demonstrating that code execution > could be achieved, but without a demonstration of a priviliege boundary being > bypassed. > > Still, it's a high risk path with no obvious evidence of having been used even > for debugging, so remove the environment variable and use the build time > $(libdir)/xenfsimage path only. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Anthony PERARD <anthony.perard@vates.tech> Thanks, -- Anthony Perard | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech
On 7/2/26 5:03 PM, Andrew Cooper wrote:
> This was reported to the security team, demonstrating that code execution
> could be achieved, but without a demonstration of a priviliege boundary being
> bypassed.
>
> Still, it's a high risk path with no obvious evidence of having been used even
> for debugging, so remove the environment variable and use the build time
> $(libdir)/xenfsimage path only.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> CC: Anthony PERARD <anthony.perard@vates.tech>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: Jan Beulich <jbeulich@suse.com>
> CC: Julien Grall <julien@xen.org>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Oleksii Kurochko <oleksii.kurochko@gmail.com>
>
> For 4.22. This was supposed to be posted earlier but fell through the cracks.
> Given it's borderline-security aspect, we don't want to delay it any further.
> ---
Release-Acked-by: Oleksii Kurochko <oleksii.kurochko@gmail.com>
> CHANGELOG.md | 1 +
> tools/libfsimage/common/fsimage_plugin.c | 5 +----
> 2 files changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/CHANGELOG.md b/CHANGELOG.md
> index ef4e6ae9c459..0a4e5f013cb1 100644
> --- a/CHANGELOG.md
> +++ b/CHANGELOG.md
> @@ -63,6 +63,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
>
> - Removed xenpm tool on non-x86 platforms as it doesn't actually provide
> anything useful outside of x86.
> + - Removed the XEN_FSIMAGE_FSDIR environment variable.
>
> ## [4.21.0](https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=RELEASE-4.21.0) - 2025-11-19
>
Acked-by: Oleksii Kurochko <oleksii.kurochko@gmail.com>
> diff --git a/tools/libfsimage/common/fsimage_plugin.c b/tools/libfsimage/common/fsimage_plugin.c
> index d0cb9e96a654..539dc247356a 100644
> --- a/tools/libfsimage/common/fsimage_plugin.c
> +++ b/tools/libfsimage/common/fsimage_plugin.c
> @@ -121,7 +121,7 @@ static int init_plugin(const char *lib)
>
> int fsi_init(void)
> {
> - const char *fsdir = getenv("XEN_FSIMAGE_FSDIR");
> + const char *fsdir = FSIMAGE_FSDIR;
> struct dirent *dp = NULL;
> DIR *dir = NULL;
> char *tmp = NULL;
> @@ -129,9 +129,6 @@ int fsi_init(void)
> int err;
> int ret = -1;
>
> - if (fsdir == NULL)
> - fsdir = FSIMAGE_FSDIR;
> -
> if ((name_max = pathconf(fsdir, _PC_NAME_MAX)) == -1)
> goto fail;
>
>
> base-commit: ad9f564a5d840389cbf1b230086e1dd8257d8820
~ Oleksii
On Thu, Jul 02, 2026 at 04:03:01PM +0100, Andrew Cooper wrote: > This was reported to the security team, demonstrating that code execution > could be achieved, but without a demonstration of a priviliege boundary being > bypassed. > > Still, it's a high risk path with no obvious evidence of having been used even > for debugging, so remove the environment variable and use the build time > $(libdir)/xenfsimage path only. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> Thanks, Roger.
© 2016 - 2026 Red Hat, Inc.