WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

Re: [Xen-devel][Xense-devel][PATCH][2/4] Xen Securtiy Modules: FLASK

To: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
Subject: Re: [Xen-devel][Xense-devel][PATCH][2/4] Xen Securtiy Modules: FLASK
From: Chris Wright <chrisw@xxxxxxxxxxxx>
Date: Mon, 7 May 2007 16:24:48 -0700
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 07 May 2007 16:23:17 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <1178574074.6520.88.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <1178574074.6520.88.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.14 (2007-02-12)
And to drill down into module based on core evtchn stuff...

> +static int flask_alloc_security_evtchn(struct evtchn *chn)
> +{
> +    int i;
> +    struct evtchn_security_struct *esec;
> +
> +    for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ ) {
> +        esec = xmalloc(struct evtchn_security_struct);
> +    

As I mentioned in 1/4 review, this should be done at higher level.

> +        if (!esec)
> +            return -ENOMEM;

In fact, this is a leak because there's no unwind, and bucket
is freed if this error is encountered.

> +        
> +        memset(esec, 0, sizeof(struct evtchn_security_struct));
> +    
> +        esec->chn = &chn[i];
> +        esec->sid = SECINITSID_UNLABELED;
> +
> +        (&chn[i])->ssid = esec;
> +    }
> +    
> +    return 0;    
> +}
> +
> +static void flask_free_security_evtchn(struct evtchn *chn)
> +{
> +    int i;
> +    struct evtchn_security_struct *esec;
> +
> +    if (!chn)
> +        return;
> +            
> +    for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ ) {
> +        esec = (&chn[i])->ssid;

This is not a bucket, because this _is_ done at a higher level.  Thus,
writing on and freeing random memory.

> +    
> +        if (!esec)
> +            continue;
> +        
> +        (&chn[i])->ssid = NULL;
> +        xfree(esec);
> +    }
> +
> +}

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>