From: Juergen Gross <jgross@suse.com>
To: xen-devel@lists.xenproject.org
Cc: Juergen Gross <jgross@suse.com>, Wei Liu <wl@xen.org>,
Julien Grall <julien@xen.org>,
Anthony PERARD <anthony.perard@citrix.com>
Subject: [PATCH v2 2/2] tools/xenstore: fix get_spec_node()
Date: Sat, 22 Jul 2023 10:16:46 +0200 [thread overview]
Message-ID: <20230722081646.4136-3-jgross@suse.com> (raw)
In-Reply-To: <20230722081646.4136-1-jgross@suse.com>
In case get_spec_node() is being called for a special node starting
with '@' it won't set *canonical_name. This can result in a crash of
xenstored due to dereferencing the uninitialized name in
fire_watches().
This is no security issue as it requires either a privileged caller or
ownership of the special node in question by an unprivileged caller
(which is questionable, as this would make the owner privileged in some
way).
Fixes: d6bb63924fc2 ("tools/xenstore: introduce dummy nodes for special watch paths")
Signed-off-by: Juergen Gross <jgross@suse.com>
---
tools/xenstore/xenstored_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 3d3c39bd70..749717ec25 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -1253,8 +1253,11 @@ static struct node *get_spec_node(struct connection *conn, const void *ctx,
const char *name, const char **canonical_name,
unsigned int perm)
{
- if (name[0] == '@')
+ if (name[0] == '@') {
+ if (canonical_name)
+ *canonical_name = name;
return get_node(conn, ctx, name, perm);
+ }
return get_node_canonicalized(conn, ctx, name, canonical_name, perm);
}
--
2.35.3
next prev parent reply other threads:[~2023-07-22 8:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-22 8:16 [PATCH v2 0/2] tools/xenstore: fix get_spec_node() Juergen Gross
2023-07-22 8:16 ` [PATCH v2 1/2] tools/xenstore: add const to the return type of canonicalize() Juergen Gross
2023-07-22 15:20 ` Julien Grall
2023-07-22 16:44 ` Julien Grall
2023-07-24 7:10 ` Juergen Gross
2023-07-24 10:17 ` Julien Grall
2023-07-22 8:16 ` Juergen Gross [this message]
2023-07-22 15:25 ` [PATCH v2 2/2] tools/xenstore: fix get_spec_node() Julien Grall
2023-07-22 16:54 ` [PATCH v2 0/2] " Julien Grall
2023-07-24 5:07 ` Juergen Gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230722081646.4136-3-jgross@suse.com \
--to=jgross@suse.com \
--cc=anthony.perard@citrix.com \
--cc=julien@xen.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.