[PATCH] libxl: Fix error handling in libxl_userdata_unlink

[PATCH] libxl: Fix error handling in libxl_userdata_unlink

[Ian Jackson]

Previously:
  * rc would not be set before leaving the function, with the
    result that an uninitialised value would be returned
  * failures of libxl__userdata_path would result in a NULL dereference
  * failures of unlink() would not be usefully logged

This appears to be due to an attempt to avoid having to repeat the
call to libxl__unlock_domain_userdata by informally sharing parts of
the success and failure paths.

Change to use the canonical error-handling style:
  * Initialise lock to 0.
  * Do the unlock in the `out' section - always attempt to unlock
    lock if it is non-0.
  * Explicitly set rc and `goto out' on all error paths, even
    those right at the end of the function.
  * Add an error check for filename = libxl__userdata_path(...);

(CCing security@ because they receive the Coverity reports.  This is
not a security problem AFAICT.)

Coverity-ID: 1240237, 1240235.
CC: Wei Liu <wei.liu2@citrix.com>
CC: security@xenproject.org
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
 tools/libxl/libxl_dom.c |   20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c
index bd21841..9eb74ec 100644
--- a/tools/libxl/libxl_dom.c
+++ b/tools/libxl/libxl_dom.c
@@ -2097,12 +2097,12 @@ int libxl_userdata_unlink(libxl_ctx *ctx, uint32_t domid,
                           const char *userdata_userid)
 {
     GC_INIT(ctx);
-    int rc;
+    CTX_LOCK;
 
-    libxl__domain_userdata_lock *lock;
+    int rc;
+    libxl__domain_userdata_lock *lock = 0;
     const char *filename;
 
-    CTX_LOCK;
     lock = libxl__lock_domain_userdata(gc, domid);
     if (!lock) {
         rc = ERROR_LOCK_FAIL;
@@ -2110,10 +2110,20 @@ int libxl_userdata_unlink(libxl_ctx *ctx, uint32_t domid,
     }
 
     filename = libxl__userdata_path(gc, domid, userdata_userid, "d");
-    if (unlink(filename)) rc = ERROR_FAIL;
+    if (!filename) {
+        rc = ERROR_FAIL;
+        goto out;
+    }
+    if (unlink(filename)) {
+        LOGE(ERROR, "error deleting userdata file: %s", filename);
+        rc = ERROR_FAIL;
+        goto out;
+    }
 
-    libxl__unlock_domain_userdata(lock);
+    rc = 0;
 out:
+    if (lock)
+        libxl__unlock_domain_userdata(lock);
     CTX_UNLOCK;
     GC_FREE;
     return rc;
-- 
1.7.10.4

Re: [PATCH] libxl: Fix error handling in libxl_userdata_unlink

[Andrew Cooper]

On 24/09/14 15:30, Ian Jackson wrote:
> Previously:
>   * rc would not be set before leaving the function, with the
>     result that an uninitialised value would be returned
>   * failures of libxl__userdata_path would result in a NULL dereference
>   * failures of unlink() would not be usefully logged
>
> This appears to be due to an attempt to avoid having to repeat the
> call to libxl__unlock_domain_userdata by informally sharing parts of
> the success and failure paths.
>
> Change to use the canonical error-handling style:
>   * Initialise lock to 0.
>   * Do the unlock in the `out' section - always attempt to unlock
>     lock if it is non-0.
>   * Explicitly set rc and `goto out' on all error paths, even
>     those right at the end of the function.
>   * Add an error check for filename = libxl__userdata_path(...);
>
> (CCing security@ because they receive the Coverity reports.  This is
> not a security problem AFAICT.)

How about coverty@ which includes some of us not on securty@ ?

>
> Coverity-ID: 1240237, 1240235.
> CC: Wei Liu <wei.liu2@citrix.com>
> CC: security@xenproject.org
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> ---
>  tools/libxl/libxl_dom.c |   20 +++++++++++++++-----
>  1 file changed, 15 insertions(+), 5 deletions(-)
>
> diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c
> index bd21841..9eb74ec 100644
> --- a/tools/libxl/libxl_dom.c
> +++ b/tools/libxl/libxl_dom.c
> @@ -2097,12 +2097,12 @@ int libxl_userdata_unlink(libxl_ctx *ctx, uint32_t domid,
>                            const char *userdata_userid)
>  {
>      GC_INIT(ctx);
> -    int rc;
> +    CTX_LOCK;
>  
> -    libxl__domain_userdata_lock *lock;
> +    int rc;
> +    libxl__domain_userdata_lock *lock = 0;

Pointers should be initialised to NULL rather than 0.

With this change, Reviewed-by: Andrew Cooper<andrew.cooper3@citrix.com>

>      const char *filename;
>  
> -    CTX_LOCK;
>      lock = libxl__lock_domain_userdata(gc, domid);
>      if (!lock) {
>          rc = ERROR_LOCK_FAIL;
> @@ -2110,10 +2110,20 @@ int libxl_userdata_unlink(libxl_ctx *ctx, uint32_t domid,
>      }
>  
>      filename = libxl__userdata_path(gc, domid, userdata_userid, "d");
> -    if (unlink(filename)) rc = ERROR_FAIL;
> +    if (!filename) {
> +        rc = ERROR_FAIL;
> +        goto out;
> +    }
> +    if (unlink(filename)) {
> +        LOGE(ERROR, "error deleting userdata file: %s", filename);
> +        rc = ERROR_FAIL;
> +        goto out;
> +    }
>  
> -    libxl__unlock_domain_userdata(lock);
> +    rc = 0;
>  out:
> +    if (lock)
> +        libxl__unlock_domain_userdata(lock);
>      CTX_UNLOCK;
>      GC_FREE;
>      return rc;

Re: [PATCH] libxl: Fix error handling in libxl_userdata_unlink

[Wei Liu]

Ian C, this one seems to have fell through the crack.

Ian J CC'ed himself twice in the original email. :-)

Wei.

Re: [PATCH] libxl: Fix error handling in libxl_userdata_unlink

[Ian Jackson]

Andrew Cooper writes ("Re: [Xen-devel] [PATCH] libxl: Fix error handling in libxl_userdata_unlink"):
> On 24/09/14 15:30, Ian Jackson wrote:
> > (CCing security@ because they receive the Coverity reports.  This is
> > not a security problem AFAICT.)
> 
> How about coverty@ which includes some of us not on securty@ ?

Yes.

> > -    libxl__domain_userdata_lock *lock;
> > +    int rc;
> > +    libxl__domain_userdata_lock *lock = 0;
> 
> Pointers should be initialised to NULL rather than 0.

Changed.

> With this change, Reviewed-by: Andrew Cooper<andrew.cooper3@citrix.com>

Now pushed (with Ian C's ack, also).

Ian.