* [PATCH] tools/xenstored: Prevent a buffer overflow in dump_state_node_perms()
@ 2021-05-06 16:12 Julien Grall
2021-05-07 15:45 ` Luca Fancellu
2021-05-10 7:49 ` Juergen Gross
0 siblings, 2 replies; 4+ messages in thread
From: Julien Grall @ 2021-05-06 16:12 UTC (permalink / raw)
To: xen-devel; +Cc: julien, Julien Grall, Ian Jackson, Wei Liu, Juergen Gross
From: Julien Grall <jgrall@amazon.com>
ASAN reported one issue when Live Updating Xenstored:
=================================================================
==873==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc194f53e0 at pc 0x555c6b323292 bp 0x7ffc194f5340 sp 0x7ffc194f5338
WRITE of size 1 at 0x7ffc194f53e0 thread T0
#0 0x555c6b323291 in dump_state_node_perms xen/tools/xenstore/xenstored_core.c:2468
#1 0x555c6b32746e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1257
#2 0x555c6b32a702 in dump_state_special_nodes xen/tools/xenstore/xenstored_domain.c:1273
#3 0x555c6b32ddb3 in lu_dump_state xen/tools/xenstore/xenstored_control.c:521
#4 0x555c6b32e380 in do_lu_start xen/tools/xenstore/xenstored_control.c:660
#5 0x555c6b31b461 in call_delayed xen/tools/xenstore/xenstored_core.c:278
#6 0x555c6b32275e in main xen/tools/xenstore/xenstored_core.c:2357
#7 0x7f95eecf3d09 in __libc_start_main ../csu/libc-start.c:308
#8 0x555c6b3197e9 in _start (/usr/local/sbin/xenstored+0xc7e9)
Address 0x7ffc194f53e0 is located in stack of thread T0 at offset 80 in frame
#0 0x555c6b32713e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1232
This frame has 2 object(s):
[32, 40) 'head' (line 1233)
[64, 80) 'sn' (line 1234) <== Memory access at offset 80 overflows this variable
This is happening because the callers are passing a pointer to a variable
allocated on the stack. However, the field perms is a dynamic array, so
Xenstored will end up to read outside of the variable.
Rework the code so the permissions are written one by one in the fd.
Fixes: ed6eebf17d2c ("tools/xenstore: dump the xenstore state for live update")
Signed-off-by: Julien Grall <jgrall@amazon.com>
---
tools/xenstore/xenstored_core.c | 26 ++++++++++++++------------
tools/xenstore/xenstored_core.h | 3 +--
tools/xenstore/xenstored_domain.c | 2 +-
3 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index d54a6042a9f7..f68da12b5b23 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -2447,34 +2447,36 @@ const char *dump_state_buffered_data(FILE *fp, const struct connection *c,
return NULL;
}
-const char *dump_state_node_perms(FILE *fp, struct xs_state_node *sn,
- const struct xs_permissions *perms,
+const char *dump_state_node_perms(FILE *fp, const struct xs_permissions *perms,
unsigned int n_perms)
{
unsigned int p;
for (p = 0; p < n_perms; p++) {
+ struct xs_state_node_perm sp;
+
switch ((int)perms[p].perms & ~XS_PERM_IGNORE) {
case XS_PERM_READ:
- sn->perms[p].access = XS_STATE_NODE_PERM_READ;
+ sp.access = XS_STATE_NODE_PERM_READ;
break;
case XS_PERM_WRITE:
- sn->perms[p].access = XS_STATE_NODE_PERM_WRITE;
+ sp.access = XS_STATE_NODE_PERM_WRITE;
break;
case XS_PERM_READ | XS_PERM_WRITE:
- sn->perms[p].access = XS_STATE_NODE_PERM_BOTH;
+ sp.access = XS_STATE_NODE_PERM_BOTH;
break;
default:
- sn->perms[p].access = XS_STATE_NODE_PERM_NONE;
+ sp.access = XS_STATE_NODE_PERM_NONE;
break;
}
- sn->perms[p].flags = (perms[p].perms & XS_PERM_IGNORE)
+ sp.flags = (perms[p].perms & XS_PERM_IGNORE)
? XS_STATE_NODE_PERM_IGNORE : 0;
- sn->perms[p].domid = perms[p].id;
- }
+ sp.domid = perms[p].id;
- if (fwrite(sn->perms, sizeof(*sn->perms), n_perms, fp) != n_perms)
- return "Dump node permissions error";
+ if (fwrite(&sp, sizeof(sp), 1, fp) != 1)
+ return "Dump node permission error";
+
+ }
return NULL;
}
@@ -2519,7 +2521,7 @@ static const char *dump_state_node_tree(FILE *fp, char *path)
if (fwrite(&sn, sizeof(sn), 1, fp) != 1)
return "Dump node state error";
- ret = dump_state_node_perms(fp, &sn, hdr->perms, hdr->num_perms);
+ ret = dump_state_node_perms(fp, hdr->perms, hdr->num_perms);
if (ret)
return ret;
diff --git a/tools/xenstore/xenstored_core.h b/tools/xenstore/xenstored_core.h
index 1cdbc3dcb5f7..b50ea3f57d5a 100644
--- a/tools/xenstore/xenstored_core.h
+++ b/tools/xenstore/xenstored_core.h
@@ -271,8 +271,7 @@ const char *dump_state_buffered_data(FILE *fp, const struct connection *c,
const struct connection *conn,
struct xs_state_connection *sc);
const char *dump_state_nodes(FILE *fp, const void *ctx);
-const char *dump_state_node_perms(FILE *fp, struct xs_state_node *sn,
- const struct xs_permissions *perms,
+const char *dump_state_node_perms(FILE *fp, const struct xs_permissions *perms,
unsigned int n_perms);
void read_state_global(const void *ctx, const void *state);
diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 3d4d0649a243..580ed454a3f5 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -1254,7 +1254,7 @@ static const char *dump_state_special_node(FILE *fp, const char *name,
if (fwrite(&sn, sizeof(sn), 1, fp) != 1)
return "Dump special node error";
- ret = dump_state_node_perms(fp, &sn, perms->p, perms->num);
+ ret = dump_state_node_perms(fp, perms->p, perms->num);
if (ret)
return ret;
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] tools/xenstored: Prevent a buffer overflow in dump_state_node_perms()
2021-05-06 16:12 [PATCH] tools/xenstored: Prevent a buffer overflow in dump_state_node_perms() Julien Grall
@ 2021-05-07 15:45 ` Luca Fancellu
2021-05-10 7:49 ` Juergen Gross
1 sibling, 0 replies; 4+ messages in thread
From: Luca Fancellu @ 2021-05-07 15:45 UTC (permalink / raw)
To: Julien Grall; +Cc: xen-devel, Julien Grall, Ian Jackson, Wei Liu, Juergen Gross
> On 6 May 2021, at 17:12, Julien Grall <julien@xen.org> wrote:
>
> From: Julien Grall <jgrall@amazon.com>
>
> ASAN reported one issue when Live Updating Xenstored:
>
> =================================================================
> ==873==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc194f53e0 at pc 0x555c6b323292 bp 0x7ffc194f5340 sp 0x7ffc194f5338
> WRITE of size 1 at 0x7ffc194f53e0 thread T0
> #0 0x555c6b323291 in dump_state_node_perms xen/tools/xenstore/xenstored_core.c:2468
> #1 0x555c6b32746e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1257
> #2 0x555c6b32a702 in dump_state_special_nodes xen/tools/xenstore/xenstored_domain.c:1273
> #3 0x555c6b32ddb3 in lu_dump_state xen/tools/xenstore/xenstored_control.c:521
> #4 0x555c6b32e380 in do_lu_start xen/tools/xenstore/xenstored_control.c:660
> #5 0x555c6b31b461 in call_delayed xen/tools/xenstore/xenstored_core.c:278
> #6 0x555c6b32275e in main xen/tools/xenstore/xenstored_core.c:2357
> #7 0x7f95eecf3d09 in __libc_start_main ../csu/libc-start.c:308
> #8 0x555c6b3197e9 in _start (/usr/local/sbin/xenstored+0xc7e9)
>
> Address 0x7ffc194f53e0 is located in stack of thread T0 at offset 80 in frame
> #0 0x555c6b32713e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1232
>
> This frame has 2 object(s):
> [32, 40) 'head' (line 1233)
> [64, 80) 'sn' (line 1234) <== Memory access at offset 80 overflows this variable
>
> This is happening because the callers are passing a pointer to a variable
> allocated on the stack. However, the field perms is a dynamic array, so
> Xenstored will end up to read outside of the variable.
>
> Rework the code so the permissions are written one by one in the fd.
>
> Fixes: ed6eebf17d2c ("tools/xenstore: dump the xenstore state for live update")
> Signed-off-by: Julien Grall <jgrall@amazon.com>
> ---
> tools/xenstore/xenstored_core.c | 26 ++++++++++++++------------
> tools/xenstore/xenstored_core.h | 3 +--
> tools/xenstore/xenstored_domain.c | 2 +-
> 3 files changed, 16 insertions(+), 15 deletions(-)
>
> diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
> index d54a6042a9f7..f68da12b5b23 100644
> --- a/tools/xenstore/xenstored_core.c
> +++ b/tools/xenstore/xenstored_core.c
> @@ -2447,34 +2447,36 @@ const char *dump_state_buffered_data(FILE *fp, const struct connection *c,
> return NULL;
> }
>
> -const char *dump_state_node_perms(FILE *fp, struct xs_state_node *sn,
> - const struct xs_permissions *perms,
> +const char *dump_state_node_perms(FILE *fp, const struct xs_permissions *perms,
> unsigned int n_perms)
> {
> unsigned int p;
>
> for (p = 0; p < n_perms; p++) {
> + struct xs_state_node_perm sp;
> +
> switch ((int)perms[p].perms & ~XS_PERM_IGNORE) {
> case XS_PERM_READ:
> - sn->perms[p].access = XS_STATE_NODE_PERM_READ;
> + sp.access = XS_STATE_NODE_PERM_READ;
> break;
> case XS_PERM_WRITE:
> - sn->perms[p].access = XS_STATE_NODE_PERM_WRITE;
> + sp.access = XS_STATE_NODE_PERM_WRITE;
> break;
> case XS_PERM_READ | XS_PERM_WRITE:
> - sn->perms[p].access = XS_STATE_NODE_PERM_BOTH;
> + sp.access = XS_STATE_NODE_PERM_BOTH;
> break;
> default:
> - sn->perms[p].access = XS_STATE_NODE_PERM_NONE;
> + sp.access = XS_STATE_NODE_PERM_NONE;
> break;
> }
> - sn->perms[p].flags = (perms[p].perms & XS_PERM_IGNORE)
> + sp.flags = (perms[p].perms & XS_PERM_IGNORE)
> ? XS_STATE_NODE_PERM_IGNORE : 0;
> - sn->perms[p].domid = perms[p].id;
> - }
> + sp.domid = perms[p].id;
>
> - if (fwrite(sn->perms, sizeof(*sn->perms), n_perms, fp) != n_perms)
> - return "Dump node permissions error";
> + if (fwrite(&sp, sizeof(sp), 1, fp) != 1)
> + return "Dump node permission error";
> +
> + }
>
> return NULL;
> }
> @@ -2519,7 +2521,7 @@ static const char *dump_state_node_tree(FILE *fp, char *path)
> if (fwrite(&sn, sizeof(sn), 1, fp) != 1)
> return "Dump node state error";
>
> - ret = dump_state_node_perms(fp, &sn, hdr->perms, hdr->num_perms);
> + ret = dump_state_node_perms(fp, hdr->perms, hdr->num_perms);
> if (ret)
> return ret;
>
> diff --git a/tools/xenstore/xenstored_core.h b/tools/xenstore/xenstored_core.h
> index 1cdbc3dcb5f7..b50ea3f57d5a 100644
> --- a/tools/xenstore/xenstored_core.h
> +++ b/tools/xenstore/xenstored_core.h
> @@ -271,8 +271,7 @@ const char *dump_state_buffered_data(FILE *fp, const struct connection *c,
> const struct connection *conn,
> struct xs_state_connection *sc);
> const char *dump_state_nodes(FILE *fp, const void *ctx);
> -const char *dump_state_node_perms(FILE *fp, struct xs_state_node *sn,
> - const struct xs_permissions *perms,
> +const char *dump_state_node_perms(FILE *fp, const struct xs_permissions *perms,
> unsigned int n_perms);
>
> void read_state_global(const void *ctx, const void *state);
> diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
> index 3d4d0649a243..580ed454a3f5 100644
> --- a/tools/xenstore/xenstored_domain.c
> +++ b/tools/xenstore/xenstored_domain.c
> @@ -1254,7 +1254,7 @@ static const char *dump_state_special_node(FILE *fp, const char *name,
> if (fwrite(&sn, sizeof(sn), 1, fp) != 1)
> return "Dump special node error";
>
> - ret = dump_state_node_perms(fp, &sn, perms->p, perms->num);
> + ret = dump_state_node_perms(fp, perms->p, perms->num);
> if (ret)
> return ret;
>
> --
> 2.17.1
>
>
Tested on FVP and another arm board, basic testing (run Xen, dom0, run one/two guests) - Everything fine.
Reviewed-by: Luca Fancellu <luca.fancellu@arm.com>
Cheers,
Luca
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tools/xenstored: Prevent a buffer overflow in dump_state_node_perms()
2021-05-06 16:12 [PATCH] tools/xenstored: Prevent a buffer overflow in dump_state_node_perms() Julien Grall
2021-05-07 15:45 ` Luca Fancellu
@ 2021-05-10 7:49 ` Juergen Gross
2021-05-10 17:27 ` Julien Grall
1 sibling, 1 reply; 4+ messages in thread
From: Juergen Gross @ 2021-05-10 7:49 UTC (permalink / raw)
To: Julien Grall, xen-devel; +Cc: Julien Grall, Ian Jackson, Wei Liu
[-- Attachment #1.1.1: Type: text/plain, Size: 1990 bytes --]
On 06.05.21 18:12, Julien Grall wrote:
> From: Julien Grall <jgrall@amazon.com>
>
> ASAN reported one issue when Live Updating Xenstored:
>
> =================================================================
> ==873==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc194f53e0 at pc 0x555c6b323292 bp 0x7ffc194f5340 sp 0x7ffc194f5338
> WRITE of size 1 at 0x7ffc194f53e0 thread T0
> #0 0x555c6b323291 in dump_state_node_perms xen/tools/xenstore/xenstored_core.c:2468
> #1 0x555c6b32746e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1257
> #2 0x555c6b32a702 in dump_state_special_nodes xen/tools/xenstore/xenstored_domain.c:1273
> #3 0x555c6b32ddb3 in lu_dump_state xen/tools/xenstore/xenstored_control.c:521
> #4 0x555c6b32e380 in do_lu_start xen/tools/xenstore/xenstored_control.c:660
> #5 0x555c6b31b461 in call_delayed xen/tools/xenstore/xenstored_core.c:278
> #6 0x555c6b32275e in main xen/tools/xenstore/xenstored_core.c:2357
> #7 0x7f95eecf3d09 in __libc_start_main ../csu/libc-start.c:308
> #8 0x555c6b3197e9 in _start (/usr/local/sbin/xenstored+0xc7e9)
>
> Address 0x7ffc194f53e0 is located in stack of thread T0 at offset 80 in frame
> #0 0x555c6b32713e in dump_state_special_node xen/tools/xenstore/xenstored_domain.c:1232
>
> This frame has 2 object(s):
> [32, 40) 'head' (line 1233)
> [64, 80) 'sn' (line 1234) <== Memory access at offset 80 overflows this variable
>
> This is happening because the callers are passing a pointer to a variable
> allocated on the stack. However, the field perms is a dynamic array, so
> Xenstored will end up to read outside of the variable.
>
> Rework the code so the permissions are written one by one in the fd.
>
> Fixes: ed6eebf17d2c ("tools/xenstore: dump the xenstore state for live update")
> Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Juergen
[-- Attachment #1.1.2: OpenPGP_0xB0DE9DD628BF132F.asc --]
[-- Type: application/pgp-keys, Size: 3135 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tools/xenstored: Prevent a buffer overflow in dump_state_node_perms()
2021-05-10 7:49 ` Juergen Gross
@ 2021-05-10 17:27 ` Julien Grall
0 siblings, 0 replies; 4+ messages in thread
From: Julien Grall @ 2021-05-10 17:27 UTC (permalink / raw)
To: Juergen Gross, xen-devel; +Cc: Julien Grall, Ian Jackson, Wei Liu
Hi Juergen,
On 10/05/2021 08:49, Juergen Gross wrote:
> On 06.05.21 18:12, Julien Grall wrote:
>> From: Julien Grall <jgrall@amazon.com>
>>
>> ASAN reported one issue when Live Updating Xenstored:
>>
>> =================================================================
>> ==873==ERROR: AddressSanitizer: stack-buffer-overflow on address
>> 0x7ffc194f53e0 at pc 0x555c6b323292 bp 0x7ffc194f5340 sp 0x7ffc194f5338
>> WRITE of size 1 at 0x7ffc194f53e0 thread T0
>> #0 0x555c6b323291 in dump_state_node_perms
>> xen/tools/xenstore/xenstored_core.c:2468
>> #1 0x555c6b32746e in dump_state_special_node
>> xen/tools/xenstore/xenstored_domain.c:1257
>> #2 0x555c6b32a702 in dump_state_special_nodes
>> xen/tools/xenstore/xenstored_domain.c:1273
>> #3 0x555c6b32ddb3 in lu_dump_state
>> xen/tools/xenstore/xenstored_control.c:521
>> #4 0x555c6b32e380 in do_lu_start
>> xen/tools/xenstore/xenstored_control.c:660
>> #5 0x555c6b31b461 in call_delayed
>> xen/tools/xenstore/xenstored_core.c:278
>> #6 0x555c6b32275e in main xen/tools/xenstore/xenstored_core.c:2357
>> #7 0x7f95eecf3d09 in __libc_start_main ../csu/libc-start.c:308
>> #8 0x555c6b3197e9 in _start (/usr/local/sbin/xenstored+0xc7e9)
>>
>> Address 0x7ffc194f53e0 is located in stack of thread T0 at offset 80
>> in frame
>> #0 0x555c6b32713e in dump_state_special_node
>> xen/tools/xenstore/xenstored_domain.c:1232
>>
>> This frame has 2 object(s):
>> [32, 40) 'head' (line 1233)
>> [64, 80) 'sn' (line 1234) <== Memory access at offset 80
>> overflows this variable
>>
>> This is happening because the callers are passing a pointer to a variable
>> allocated on the stack. However, the field perms is a dynamic array, so
>> Xenstored will end up to read outside of the variable.
>>
>> Rework the code so the permissions are written one by one in the fd.
>>
>> Fixes: ed6eebf17d2c ("tools/xenstore: dump the xenstore state for live
>> update")
>> Signed-off-by: Julien Grall <jgrall@amazon.com>
>
> Reviewed-by: Juergen Gross <jgross@suse.com>
Committed.
Cheers,
--
Julien Grall
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-10 17:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-06 16:12 [PATCH] tools/xenstored: Prevent a buffer overflow in dump_state_node_perms() Julien Grall
2021-05-07 15:45 ` Luca Fancellu
2021-05-10 7:49 ` Juergen Gross
2021-05-10 17:27 ` Julien Grall
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.