Commit
562a1c0f7ef3fb ("tools/xenstore: dont unlink connection object
twice") introduced a potential use after free problem in
domain_cleanup(): after calling talloc_unlink() for domain->conn
domain->conn is set to NULL. The problem is that domain is registered
as talloc child of domain->conn, so it might be freed by the
talloc_unlink() call.
With Xenstore being single threaded there are normally no concurrent
memory allocations running and freeing a virtual memory area normally
doesn't result in that area no longer being accessible. A problem
could occur only in case either a signal received results in some
memory allocation done in the signal handler (SIGHUP is a primary
candidate leading to reopening the log file), or in case the talloc
framework would do some internal memory allocation during freeing of
the memory (which would lead to clobbering of the freed domain
structure).
Fixes: 562a1c0f7ef3fb ("tools/xenstore: dont unlink connection object twice")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
(cherry picked from commit
bb2a34fd740e9a26be9e2244f1a5b4cef439e5a8)
(cherry picked from commit
dc5176d0f9434e275e0be1df8d0518e243798beb)
(cherry picked from commit
a997ffe678e698ff2b4c89ae5a98661d12247fef)
(cherry picked from commit
48e8564435aca590f1c292ab7bb1f3dbc6b75693)
{
xc_dominfo_t dominfo;
struct domain *domain;
+ struct connection *conn;
int notify = 0;
again:
continue;
}
if (domain->conn) {
- talloc_unlink(talloc_autofree_context(), domain->conn);
+ /* domain is a talloc child of domain->conn. */
+ conn = domain->conn;
domain->conn = NULL;
+ talloc_unlink(talloc_autofree_context(), conn);
notify = 0; /* destroy_domain() fires the watch */
goto again;
}
projects / xen.git / commitdiff