WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] xenstored: fix use-after free bug

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] xenstored: fix use-after free bug
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 03 Mar 2009 11:10:13 -0800
Delivery-date: Tue, 03 Mar 2009 11:10:13 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1235919004 0
# Node ID 226031d62fc53d92df1aa7ba5565e887fa925318
# Parent  edd7f612ebe0bb4e69159e76435b0b59caaa539d
xenstored: fix use-after free bug

Problem:  Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example.  It can also
zap *other* connections, due to domain release requests.  Especially
it can zap the connection we have saved a pointer to in the "next"
variable.

From: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Signed-off-by: Keir Fraser <keir.fraser@xxxxxxxxxx>
---
 tools/xenstore/xenstored_core.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff -r edd7f612ebe0 -r 226031d62fc5 tools/xenstore/xenstored_core.c
--- a/tools/xenstore/xenstored_core.c   Sun Mar 01 14:35:57 2009 +0000
+++ b/tools/xenstore/xenstored_core.c   Sun Mar 01 14:50:04 2009 +0000
@@ -1937,14 +1937,17 @@ int main(int argc, char *argv[])
                        handle_event();
 
                next = list_entry(connections.next, typeof(*conn), list);
+               if (&next->list != &connections)
+                       talloc_increase_ref_count(next);
                while (&next->list != &connections) {
                        conn = next;
 
                        next = list_entry(conn->list.next,
                                          typeof(*conn), list);
+                       if (&next->list != &connections)
+                               talloc_increase_ref_count(next);
 
                        if (conn->domain) {
-                               talloc_increase_ref_count(conn);
                                if (domain_can_read(conn))
                                        handle_input(conn);
                                if (talloc_free(conn) == 0)
@@ -1957,7 +1960,6 @@ int main(int argc, char *argv[])
                                if (talloc_free(conn) == 0)
                                        continue;
                        } else {
-                               talloc_increase_ref_count(conn);
                                if (FD_ISSET(conn->fd, &inset))
                                        handle_input(conn);
                                if (talloc_free(conn) == 0)

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] xenstored: fix use-after free bug, Xen patchbot-unstable <=