[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/3] tools/oxenstored: Reject invalid watch paths early


  • To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Christian Lindig <christian.lindig@xxxxxxxxxx>
  • Date: Thu, 4 Feb 2021 10:51:50 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=76niKCVuE399JwJvasuKex51F5wmIyh13P0i0k6gpwg=; b=P/uZPCCrwHXATOjkQYbeZwfb2kLyHVYp8n7akJQUd9d7v8DuHYuQ9Mv1hmh9Q3gyAsMBcsrbnCJBl4DCw/r4E9V2RmFkQR+TenO/em51f5D2fbu1q/57H7WXddyPk5BZmL4Q6cP0YpZNeyOdZ/5PMg9IoGV5xI+tXodWgX/m5FbNc8F9PUUjlIgyRfN1EmSLPMfCFOZS8NFWWQfRjmW6DaVsd+uVWjenBkblnOlXQeKvjF1EakQr16b43bLj6RSGph9eryQaSL2N0r6szlRtUi7ifzcTWwwKqjSHWoZQz6Gs63Tgk1tfQ6lPaAY5yrlA7KlwT6N5yLeM9LMVbDUrfw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XAaP0d26FshZ6wzmD7AeCYT2EkYo/6vekY2A5Tygp6KmYG4Y96HwoySAD6EbkewafF/LJwqs9H8dVhlb3IFNmKy+3CPSAXQOQO7090WrPz+dzGQrrrNyirHk9T4grWIydNTd/cTE7VGFi4zXgN3lpklDqYjHhfQ1G9vLEU50mDLsvkFwJXHdnc9Hf17xEEbTvJGIGuQVNtBadSbWaOUQd+7Nrdsb1vftVP74mybjXlyYcMWsTaN+VugMYAtlLf8fI7zuhJ28sLPLjJa11BAy78kIVq4h7B5FzPzBxdDfTQJu3fcHU4NdMZXS8Fl5n80xUcuKBMLBsf7vfygrfW6J2g==
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Edwin Torok <edvin.torok@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Thu, 04 Feb 2021 10:52:14 +0000
  • Ironport-sdr: DqMqhx+JEI+J+j6VoIfDYeLBiX1QlMtbV6GCcvQ0geFcX17WaltYtY7MW55p3wWLRqhNhYtq3Q QjSMZuvCHLUIs9pkqUvKwEZ/tw+0TRVGU/KTzxvBRCrKd/qJl4S4cOUDtAmUS+Qx7sLPK/PdQH eVu2AiLYWg4WtYjaKf15YLGfitRa8/1O+T7Auk8X5KUoHsO1JS49B3xI1e3e+BY2qYM1odfL/j 6OK37eQBx0zn9hp41/P4eHpNRDcmqKuU+GekUv3uvOeiVlOQfLCRwYsri0MXqpvy6zQ2vyzUDz Nbs=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHW+lMQLgaeDrvHYEyTG7gcxvIkFqpH0ZCg
  • Thread-topic: [PATCH 2/3] tools/oxenstored: Reject invalid watch paths early

Acked-by: Christian Lindig <christian.lindig@xxxxxxxxxx>

Great work. Fuzzing is often thought as best to find bugs in languages like C 
where memory is explicitly managed but here it reveals logical bugs.

________________________________________
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Sent: 03 February 2021 17:35
To: Xen-devel
Cc: Edwin Torok; Christian Lindig; Ian Jackson; Wei Liu
Subject: [PATCH 2/3] tools/oxenstored: Reject invalid watch paths early

From: Edwin Török <edvin.torok@xxxxxxxxxx>

Watches on invalid paths were accepted, but they would never trigger.  The
client also got no notification that its watch is bad and would never trigger.

Found again by the structured fuzzer, due to an error on live update reload:
the invalid watch paths would get rejected during live update and the list of
watches would be different pre/post live update.

The testcase is watch on `//`, which is an invalid path.

Signed-off-by: Edwin Török <edvin.torok@xxxxxxxxxx>
---
CC: Christian Lindig <christian.lindig@xxxxxxxxxx>
CC: Ian Jackson <iwj@xxxxxxxxxxxxxx>
CC: Wei Liu <wl@xxxxxxx>
---
 tools/ocaml/xenstored/connection.ml  | 5 ++---
 tools/ocaml/xenstored/connections.ml | 4 +++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/tools/ocaml/xenstored/connection.ml 
b/tools/ocaml/xenstored/connection.ml
index d09a0fa405..65f99ea6f2 100644
--- a/tools/ocaml/xenstored/connection.ml
+++ b/tools/ocaml/xenstored/connection.ml
@@ -158,18 +158,17 @@ let get_children_watches con path =
 let is_dom0 con =
        Perms.Connection.is_dom0 (get_perm con)

-let add_watch con path token =
+let add_watch con (path, apath) token =
        if !Quota.activate && !Define.maxwatch > 0 &&
           not (is_dom0 con) && con.nb_watches > !Define.maxwatch then
                raise Quota.Limit_reached;
-       let apath = get_watch_path con path in
        let l = get_watches con apath in
        if List.exists (fun w -> w.token = token) l then
                raise Define.Already_exist;
        let watch = watch_create ~con ~token ~path in
        Hashtbl.replace con.watches apath (watch :: l);
        con.nb_watches <- con.nb_watches + 1;
-       apath, watch
+       watch

 let del_watch con path token =
        let apath = get_watch_path con path in
diff --git a/tools/ocaml/xenstored/connections.ml 
b/tools/ocaml/xenstored/connections.ml
index 8a66eeec3a..3c7429fe7f 100644
--- a/tools/ocaml/xenstored/connections.ml
+++ b/tools/ocaml/xenstored/connections.ml
@@ -114,8 +114,10 @@ let key_of_path path =
        "" :: Store.Path.to_string_list path

 let add_watch cons con path token =
-       let apath, watch = Connection.add_watch con path token in
+       let apath = Connection.get_watch_path con path in
+       (* fail on invalid paths early by calling key_of_str before adding 
watch *)
        let key = key_of_str apath in
+       let watch = Connection.add_watch con (path, apath) token in
        let watches =
                if Trie.mem cons.watches key
                then Trie.find cons.watches key
--
2.11.0




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.