xenbits.xensource.com Git - xen.git/commit

author	Juergen Gross <jgross@suse.com>
	Tue, 13 Sep 2022 05:35:10 +0000 (07:35 +0200)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Tue, 1 Nov 2022 13:05:44 +0000 (13:05 +0000)
commit	2a587de219cc0765330fbf9fac6827bfaf29e29b
tree	1a5af0a6ce9f3e80eaea3834298a20657244b5f9	tree
parent	c7bc20d8d123851a468402bbfc9e3330efff21ec	commit \| diff

tools/xenstore: don't use conn->in as context for temporary allocations

Using the struct buffered data pointer of the current processed request
for temporary data allocations has a major drawback: the used area (and
with that the temporary data) is freed only after the response of the
request has been written to the ring page or has been read via the
socket. This can happen much later in case a guest isn't reading its
responses fast enough.

As the temporary data can be safely freed after creating the response,
add a temporary context for that purpose and use that for allocating
the temporary memory, as it was already the case before commit
cc0612464896 ("xenstore: add small default data buffer to internal
struct").

Some sub-functions need to gain the "const" attribute for the talloc
context.

This is XSA-416 / CVE-2022-42319.

Fixes: cc0612464896 ("xenstore: add small default data buffer to internal struct")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>

tools/xenstore/xenstored_control.c		diff \| blob \| blame \| history
tools/xenstore/xenstored_control.h		diff \| blob \| blame \| history
tools/xenstore/xenstored_core.c		diff \| blob \| blame \| history
tools/xenstore/xenstored_domain.c		diff \| blob \| blame \| history
tools/xenstore/xenstored_domain.h		diff \| blob \| blame \| history
tools/xenstore/xenstored_transaction.c		diff \| blob \| blame \| history
tools/xenstore/xenstored_transaction.h		diff \| blob \| blame \| history
tools/xenstore/xenstored_watch.c		diff \| blob \| blame \| history
tools/xenstore/xenstored_watch.h		diff \| blob \| blame \| history