libxl: Do not trust frontend for vtpm in getinfo

libxl_device_vtpm_getinfo needs to examine devices without trusting
frontend-controlled data.  So:

* Use /libxl to find the backend path.
* Parse the backend path to find the backend domid, rather than
  reading it from the frontend.

This is part of XSA-175.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>

diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index 2e6b8c18a0976d82c5d04730b1b8985312eb4f71..6f8fb0839345da4c47eaf55b430126b740ce4a27 100644 (file)
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -1909,7 +1909,7 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
                               libxl_vtpminfo *vtpminfo)
 {
     GC_INIT(ctx);
-    char *dompath, *vtpmpath;
+    char *libxl_path, *dompath, *vtpmpath;
     char *val;
     int rc = 0;
 
@@ -1918,8 +1918,10 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
     vtpminfo->devid = vtpm->devid;
 
     vtpmpath = GCSPRINTF("%s/device/vtpm/%d", dompath, vtpminfo->devid);
+    libxl_path = GCSPRINTF("%s/device/vtpm/%d",
+                           libxl__xs_libxl_path(gc, domid), vtpminfo->devid);
     vtpminfo->backend = xs_read(ctx->xsh, XBT_NULL,
-          GCSPRINTF("%s/backend", vtpmpath), NULL);
+          GCSPRINTF("%s/backend", libxl_path), NULL);
     if (!vtpminfo->backend) {
         goto err;
     }
@@ -1927,9 +1929,9 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
        goto err;
     }
 
-    val = libxl__xs_read(gc, XBT_NULL,
-          GCSPRINTF("%s/backend-id", vtpmpath));
-    vtpminfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
+    rc = libxl__backendpath_parse_domid(gc, vtpminfo->backend,
+                                        &vtpminfo->backend_id);
+    if (rc) goto exit;
 
     val = libxl__xs_read(gc, XBT_NULL,
           GCSPRINTF("%s/state", vtpmpath));