* [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing
@ 2021-02-26 18:26 Julien Grall
2021-03-01 17:40 ` Ian Jackson
2021-03-01 19:19 ` Jürgen Groß
0 siblings, 2 replies; 4+ messages in thread
From: Julien Grall @ 2021-02-26 18:26 UTC (permalink / raw)
To: xen-devel; +Cc: raphning, iwj, Julien Grall, Wei Liu, Juergen Gross
From: Julien Grall <jgrall@amazon.com>
In case of failure in do_lu_start(), XenStored will first free lu_start
and then try to dereference it.
This will result to a NULL dereference as the destruction callback will
set lu_start to NULL.
The crash can be avoided by freeing lu_start *after* the reply has been
set.
Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update")
Signed-off-by: Julien Grall <jgrall@amazon.com>
---
This is a bug fix candidate for 4.15. The easiest way to trigger it is
to have a XTF test that starts a transaction but never terminates it.
In this case, live-updating would fail and trigger a crash.
---
tools/xenstore/xenstored_control.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c
index 653890f2d9e0..766b2438396a 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -657,9 +657,8 @@ static bool do_lu_start(struct delayed_request *req)
/* We will reach this point only in case of failure. */
out:
- talloc_free(lu_status);
-
send_reply(lu_status->conn, XS_CONTROL, ret, strlen(ret) + 1);
+ talloc_free(lu_status);
return true;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing
2021-02-26 18:26 [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing Julien Grall
@ 2021-03-01 17:40 ` Ian Jackson
2021-03-01 19:19 ` Jürgen Groß
1 sibling, 0 replies; 4+ messages in thread
From: Ian Jackson @ 2021-03-01 17:40 UTC (permalink / raw)
To: Julien Grall; +Cc: xen-devel, raphning, Julien Grall, Wei Liu, Juergen Gross
Julien Grall writes ("[PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing"):
> From: Julien Grall <jgrall@amazon.com>
>
> In case of failure in do_lu_start(), XenStored will first free lu_start
> and then try to dereference it.
>
> This will result to a NULL dereference as the destruction callback will
> set lu_start to NULL.
>
> The crash can be avoided by freeing lu_start *after* the reply has been
> set.
>
> Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update")
> Signed-off-by: Julien Grall <jgrall@amazon.com>
Release-Acked-by: Ian Jackson <iwj@xenproject.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing
2021-02-26 18:26 [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing Julien Grall
2021-03-01 17:40 ` Ian Jackson
@ 2021-03-01 19:19 ` Jürgen Groß
2021-03-02 9:43 ` Julien Grall
1 sibling, 1 reply; 4+ messages in thread
From: Jürgen Groß @ 2021-03-01 19:19 UTC (permalink / raw)
To: Julien Grall, xen-devel; +Cc: raphning, iwj, Julien Grall, Wei Liu
[-- Attachment #1.1.1: Type: text/plain, Size: 596 bytes --]
On 26.02.21 19:26, Julien Grall wrote:
> From: Julien Grall <jgrall@amazon.com>
>
> In case of failure in do_lu_start(), XenStored will first free lu_start
> and then try to dereference it.
>
> This will result to a NULL dereference as the destruction callback will
> set lu_start to NULL.
>
> The crash can be avoided by freeing lu_start *after* the reply has been
> set.
>
> Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update")
> Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Juergen
[-- Attachment #1.1.2: OpenPGP_0xB0DE9DD628BF132F.asc --]
[-- Type: application/pgp-keys, Size: 3135 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing
2021-03-01 19:19 ` Jürgen Groß
@ 2021-03-02 9:43 ` Julien Grall
0 siblings, 0 replies; 4+ messages in thread
From: Julien Grall @ 2021-03-02 9:43 UTC (permalink / raw)
To: Jürgen Groß, xen-devel; +Cc: raphning, iwj, Julien Grall, Wei Liu
Hi Juergen,
On 01/03/2021 19:19, Jürgen Groß wrote:
> On 26.02.21 19:26, Julien Grall wrote:
>> From: Julien Grall <jgrall@amazon.com>
>>
>> In case of failure in do_lu_start(), XenStored will first free lu_start
>> and then try to dereference it.
>>
>> This will result to a NULL dereference as the destruction callback will
>> set lu_start to NULL.
>>
>> The crash can be avoided by freeing lu_start *after* the reply has been
>> set.
>>
>> Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for
>> doing the live update")
>> Signed-off-by: Julien Grall <jgrall@amazon.com>
>
> Reviewed-by: Juergen Gross <jgross@suse.com>
Thanks! I have committed the patch.
Cheers,
--
Julien Grall
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-02 9:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-26 18:26 [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing Julien Grall
2021-03-01 17:40 ` Ian Jackson
2021-03-01 19:19 ` Jürgen Groß
2021-03-02 9:43 ` Julien Grall
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).