From: Julien Grall <jgrall@amazon.com>
Date: Fri, 22 Sep 2023 10:32:16 +0000 (+0100)
Subject: tools/xenstored: domain_entry_fix(): Handle conflicting transaction
X-Git-Tag: RELEASE-4.16.6~61
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=3382512b9f5e0d8cf37709d7cb47389d2ce8e624;p=xen.git

tools/xenstored: domain_entry_fix(): Handle conflicting transaction

The function domain_entry_fix() will be initially called to check if the
quota is correct before attempt to commit any nodes. So it would be
possible that accounting is temporarily negative. This is the case
in the following sequence:

  1) Create 50 nodes
  2) Start two transactions
  3) Delete all the nodes in each transaction
  4) Commit the two transactions

Because the first transaction will have succeed and updated the
accounting, there is no guarantee that 'd->nbentry + num' will still
be above 0. So the assert() would be triggered.
The assert() was introduced in dbef1f748289 ("tools/xenstore: simplify
and fix per domain node accounting") with the assumption that the
value can't be negative. As this is not true revert to the original
check but restricted to the path where we don't update. Take the
opportunity to explain the rationale behind the check.

This CVE-2023-34323 / XSA-440.

Fixes: dbef1f748289 ("tools/xenstore: simplify and fix per domain node accounting")
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
(cherry picked from commit c4e05c97f57d236040d1da5c1fbf6e3699dc86ea)
---

diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index ddd49eddfa..a3475284ea 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -1062,10 +1062,20 @@ int domain_entry_fix(unsigned int domid, int num, bool update)
 	}
 
 	cnt = d->nbentry + num;
-	assert(cnt >= 0);
 
-	if (update)
+	if (update) {
+		assert(cnt >= 0);
 		d->nbentry = cnt;
+	} else if (cnt < 0) {
+		/*
+		 * In a transaction when a node is being added/removed AND
+		 * the same node has been added/removed outside the
+		 * transaction in parallel, the result value may be negative.
+		 * This is no problem, as the transaction will fail due to
+		 * the resulting conflict. So override 'cnt'.
+		 */
+		cnt = 0;
+	}
 
 	return domid_is_unprivileged(domid) ? cnt : 0;
 }