thr3ads.net - Xen devel - [Xen-devel] [PATCH, v2] fix invalid free segfault and use-after-free in libxl_device_disk

If this information is useful, please help other people find it:
Share via:

Gianni Tedesco

2010-Aug-13 16:16 UTC

[Xen-devel] [PATCH, v2] fix invalid free segfault and use-after-free in libxl_device_disk_list()

Changes from v1: Oops, broke disks->is_cdrom check. This is correct fix.

8<-----------------------------------------------------------------------
Gah, libxl_device_disk_list() is returning a lot of pointers to free''d
data. Fix that by replacing libxl_xs_read() with xs_read() in line with
the policy.

Also fix a segfault caused by an erroneous free of the last disk-list
array element rather than the first one. This was causing xl create to
segfault when using the new qemu-dm code-base. Fix that and add a
comment about the fact that this libxl API requires a corresponding
libxl_device_disk_free() function.

Signed-off-by: Gianni Tedesco <gianni.tedesco@citrix.com>

diff -r dc335ebde3b5 tools/libxl/libxl.c
--- a/tools/libxl/libxl.c	Thu Aug 12 18:03:23 2010 +0100
+++ b/tools/libxl/libxl.c	Fri Aug 13 17:19:29 2010 +0100
@@ -1303,17 +1303,17 @@ static char ** libxl_build_device_model_
         flexarray_set(dm_args, num++, "xenfv");
 
     disks = libxl_device_disk_list(libxl_gc_owner(gc), info->domid,
&nb);
-    for (; nb > 0; --nb, ++disks) {
-        if ( disks->is_cdrom ) {
+    for (i; i < nb; i++) {
+        if ( disks[i].is_cdrom ) {
             flexarray_set(dm_args, num++, "-cdrom");
-            flexarray_set(dm_args, num++, disks->physpath);
+            flexarray_set(dm_args, num++, disks[i].physpath);
         }else{
-            flexarray_set(dm_args, num++, libxl_sprintf(gc, "-%s",
disks->virtpath));
-            flexarray_set(dm_args, num++, disks->physpath);
+            flexarray_set(dm_args, num++, libxl_sprintf(gc, "-%s",
disks[i].virtpath));
+            flexarray_set(dm_args, num++, disks[i].physpath);
         }
     }
+    /* FIXME: leaks disk paths */
     free(disks);
-
     flexarray_set(dm_args, num++, NULL);
     return (char **) flexarray_contents(dm_args);
 }
@@ -2435,7 +2435,7 @@ libxl_device_disk *libxl_device_disk_lis
     char *be_path_tap, *be_path_vbd;
     libxl_device_disk *dend, *disks, *ret = NULL;
     char **b, **l = NULL;
-    unsigned int numl;
+    unsigned int numl, len;
     char *type;
 
     be_path_vbd = libxl_sprintf(&gc, "%s/backend/vbd/%d",
libxl_xs_get_dompath(&gc, 0), domid);
@@ -2450,9 +2450,9 @@ libxl_device_disk *libxl_device_disk_lis
         for (; disks < dend; ++disks, ++l) {
             disks->backend_domid = 0;
             disks->domid = domid;
-            disks->physpath = libxl_xs_read(&gc, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/params", be_path_vbd, *l));
+            disks->physpath = xs_read(ctx->xsh, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/params", be_path_vbd, *l), &len);
             libxl_string_to_phystype(ctx, libxl_xs_read(&gc, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/type", be_path_vbd, *l)),
&(disks->phystype));
-            disks->virtpath = libxl_xs_read(&gc, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/dev", be_path_vbd, *l));
+            disks->virtpath = xs_read(ctx->xsh, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/dev", be_path_vbd, *l), &len);
             disks->unpluggable = atoi(libxl_xs_read(&gc, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/removable", be_path_vbd, *l)));
             if (!strcmp(libxl_xs_read(&gc, XBT_NULL, libxl_sprintf(&gc,
"%s/%s/mode", be_path_vbd, *l)), "w"))
                 disks->readwrite = 1;
@@ -2470,9 +2470,9 @@ libxl_device_disk *libxl_device_disk_lis
         for (dend = ret + *num; disks < dend; ++disks, ++l) {
             disks->backend_domid = 0;
             disks->domid = domid;
-            disks->physpath = libxl_xs_read(&gc, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/params", be_path_tap, *l));
+            disks->physpath = xs_read(ctx->xsh, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/params", be_path_tap, *l), &len);
             libxl_string_to_phystype(ctx, libxl_xs_read(&gc, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/type", be_path_tap, *l)),
&(disks->phystype));
-            disks->virtpath = libxl_xs_read(&gc, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/dev", be_path_tap, *l));
+            disks->virtpath = xs_read(ctx->xsh, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/dev", be_path_tap, *l), &len);
             disks->unpluggable = atoi(libxl_xs_read(&gc, XBT_NULL,
libxl_sprintf(&gc, "%s/%s/removable", be_path_tap, *l)));
             if (!strcmp(libxl_xs_read(&gc, XBT_NULL, libxl_sprintf(&gc,
"%s/%s/mode", be_path_tap, *l)), "w"))
                 disks->readwrite = 1;
@@ -2552,6 +2552,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
         libxl_device_disk_add(ctx, stubdomid, disk);
         disk->domid = domid;
     }
+    /* FIXME: leaks disk paths */
     free(disks);
     return 0;
 }



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Ian Campbell

2010-Aug-16 09:53 UTC

head link

[Xen-devel] Re: [PATCH, v2] fix invalid free segfault and use-after-free in libxl_device_disk_list()

On Fri, 2010-08-13 at 17:16 +0100, Gianni Tedesco (3P)
wrote:> +    /* FIXME: leaks disk paths */
>      free(disks);
> [...]
>          disk->domid = domid;
>      }
> +    /* FIXME: leaks disk paths */
>      free(disks);
>      return 0;
>  }
I''ve added this to my destructor autogeneration series:

diff -r ef610efe28c8 tools/libxl/libxl.c
--- a/tools/libxl/libxl.c	Mon Aug 16 10:50:53 2010 +0100
+++ b/tools/libxl/libxl.c	Mon Aug 16 10:52:26 2010 +0100
@@ -1337,8 +1337,8 @@ static char ** libxl_build_device_model_
             flexarray_set(dm_args, num++, libxl_sprintf(gc, "-%s",
disks[i].virtpath));
             flexarray_set(dm_args, num++, disks[i].physpath);
         }
+        libxl_device_disk_destroy(&disks[i]);
     }
-    /* FIXME: leaks disk paths */
     free(disks);
     flexarray_set(dm_args, num++, NULL);
     return (char **) flexarray_contents(dm_args);
@@ -2552,6 +2552,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
     int num, i;
     uint32_t stubdomid;
     libxl_device_disk *disks;
+    int ret = ERROR_FAIL;
 
     if (!disk->physpath) {
         disk->physpath = "";
@@ -2565,9 +2566,11 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
     }
     if (i == num) {
         XL_LOG(ctx, XL_LOG_ERROR, "Virtual device not found");
-        free(disks);
-        return ERROR_FAIL;
+        goto out;
     }
+
+    ret = 0;
+
     libxl_device_disk_del(ctx, disks + i, 1);
     libxl_device_disk_add(ctx, domid, disk);
     stubdomid = libxl_get_stubdom_id(ctx, domid);
@@ -2578,9 +2581,11 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
         libxl_device_disk_add(ctx, stubdomid, disk);
         disk->domid = domid;
     }
-    /* FIXME: leaks disk paths */
+out:
+    for (i = 0; i < num; i++)
+        libxl_device_disk_destroy(&disks[i]);
     free(disks);
-    return 0;
+    return ret;
 }
 
 /******************************************************************************/




_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Xen devel - Aug 2010 - [PATCH, v2] fix invalid free segfault and use-after-free in libxl_device_disk_list()

[Xen-devel] [PATCH, v2] fix invalid free segfault and use-after-free in libxl_device_disk_list()

[Xen-devel] Re: [PATCH, v2] fix invalid free segfault and use-after-free in libxl_device_disk_list()