WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-3.1-testing] Fix use-after-free in xenconsoled.

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-3.1-testing] Fix use-after-free in xenconsoled.
From: "Xen patchbot-3.1-testing" <patchbot-3.1-testing@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 02 Nov 2007 07:30:18 -0700
Delivery-date: Fri, 02 Nov 2007 07:30:44 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1193934959 0
# Node ID 039ff3dbba5fc79c98fb8c6025d0cc91624a1283
# Parent  27347d6d73a359aa8aece2ad10d9cc8b924b3990
Fix use-after-free in xenconsoled.

shutdown_domain() MUST NOT call cleanup_domain(), just flagging them
as dead is enough.  cleanup_domains() for dead domains is called by
the main loop in handle_io() in a safe way already.

shutdown_domain() calling cleanup_domain() too leads struct domain
being accessed after freeing and to a double-free.

Fixed by simply dropping the cleanup_domain() call and by making the
functions called by the main loop in handle_io() ignore dead domains.

Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
xen-unstable changeset:   16289:2462265f09ae310d7c8e8b194ce9e01430cb9071
xen-unstable date:        Thu Nov 01 16:34:43 2007 +0000
---
 tools/console/daemon/io.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletion(-)

diff -r 27347d6d73a3 -r 039ff3dbba5f tools/console/daemon/io.c
--- a/tools/console/daemon/io.c Thu Nov 01 16:26:38 2007 +0000
+++ b/tools/console/daemon/io.c Thu Nov 01 16:35:59 2007 +0000
@@ -469,7 +469,6 @@ static void shutdown_domain(struct domai
        if (d->xce_handle != -1)
                xc_evtchn_close(d->xce_handle);
        d->xce_handle = -1;
-       cleanup_domain(d);
 }
 
 void enum_domains(void)
@@ -515,6 +514,9 @@ static void handle_tty_read(struct domai
        struct xencons_interface *intf = dom->interface;
        XENCONS_RING_IDX prod;
 
+       if (dom->is_dead)
+               return;
+
        len = ring_free_bytes(dom);
        if (len == 0)
                return;
@@ -552,6 +554,9 @@ static void handle_tty_write(struct doma
 {
        ssize_t len;
 
+       if (dom->is_dead)
+               return;
+
        len = write(dom->tty_fd, dom->buffer.data + dom->buffer.consumed,
                    dom->buffer.size - dom->buffer.consumed);
        if (len < 1) {
@@ -574,6 +579,9 @@ static void handle_ring_read(struct doma
 static void handle_ring_read(struct domain *dom)
 {
        evtchn_port_t port;
+
+       if (dom->is_dead)
+               return;
 
        if ((port = xc_evtchn_pending(dom->xce_handle)) == -1)
                return;

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-3.1-testing] Fix use-after-free in xenconsoled., Xen patchbot-3.1-testing <=