'[xen master] tools/xenstore: Avoid leaking memory in check_store'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xen-cvs
Subject:    [xen master] tools/xenstore: Avoid leaking memory in check_store
From:       patchbot () xen ! org
Date:       2023-09-30 21:57:42
Message-ID: E1qmi0H-0000kq-Gl () xenbits ! xenproject ! org
[Download RAW message or body]

commit 33cf95008548e2a9eb5a27728f303298823d895d
Author:     David Kahurani <k.kahurani@gmail.com>
AuthorDate: Fri Sep 29 07:57:24 2023 +0300
Commit:     Andrew Cooper <andrew.cooper3@citrix.com>
CommitDate: Fri Sep 29 10:50:37 2023 +0100

    tools/xenstore: Avoid leaking memory in check_store
    
    check_store() will leak the memory from reading the "@introduceDomain" and
    "@releaseDomain" nodes.
    
    While this code should not be trigger-able from an unprivileged domain
    it is called multiple times when the database gets inconsistent. This
    means that a malicious guest able to corrupt the database will trigger
    the leaks here.
    
    Fix the leaks so that this code can be safely called from anywhere.
    
    Fixes: 67617067f0b6 ("tools/xenstore: let check_store() check the accounting data")
    Signed-off-by: David Kahurani <k.kahurani@gmail.com>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Release-acked-by: Henry Wang <Henry.Wang@arm.com>
---
 tools/xenstored/core.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/tools/xenstored/core.c b/tools/xenstored/core.c
index 092de76a2e..edd07711db 100644
--- a/tools/xenstored/core.c
+++ b/tools/xenstored/core.c
@@ -2535,18 +2535,18 @@ static void clean_store(struct check_store_data *data)
 	domain_check_acc(data->domains);
 }
 
-int check_store_path(const char *name, struct check_store_data *data)
+int check_store_path(const void *ctx, const char *name, struct check_store_data *data)
 {
 	struct node *node;
 
-	node = read_node(NULL, NULL, name);
+	node = read_node(NULL, ctx, name);
 	if (!node) {
 		log("check_store: error %d reading special node '%s'", errno,
 		    name);
 		return errno;
 	}
 
-	return check_store_step(NULL, NULL, node, data);
+	return check_store_step(ctx, NULL, node, data);
 }
 
 void check_store(void)
@@ -2556,6 +2556,7 @@ void check_store(void)
 		.enoent = check_store_enoent,
 	};
 	struct check_store_data data;
+	void *ctx;
 
 	/* Don't free values (they are all void *1) */
 	data.reachable = create_hashtable(NULL, "checkstore", hash_from_key_fn,
@@ -2571,17 +2572,19 @@ void check_store(void)
 		goto out_hash;
 	}
 
+	ctx = talloc_new(NULL);
 	log("Checking store ...");
-	if (walk_node_tree(NULL, NULL, "/", &walkfuncs, &data)) {
+	if (walk_node_tree(ctx, NULL, "/", &walkfuncs, &data)) {
 		if (errno == ENOMEM)
 			log("check_store: ENOMEM");
-	} else if (!check_store_path("@introduceDomain", &data) &&
-		   !check_store_path("@releaseDomain", &data) &&
+	} else if (!check_store_path(ctx, "@introduceDomain", &data) &&
+		   !check_store_path(ctx, "@releaseDomain", &data) &&
 		   !check_transactions(data.reachable))
 		clean_store(&data);
 	log("Checking store complete.");
 
 	hashtable_destroy(data.domains);
+	talloc_free(ctx);
  out_hash:
 	hashtable_destroy(data.reachable);
 }
--
generated by git-patchbot for /home/xen/git/xen.git#master

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic