From ca04e01490acc333b43cfc784751d09134e65e18 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 3 May 2016 17:01:56 +0100 Subject: [PATCH] libxl: Do not trust frontend for channel in list libxl_device_channel_list should not trust frontend-provided data. So it needs to iterate using the /libxl paths, and read the backend path out of /libxl. However, it also filters out pure "consoles", which are channels without a "name". But the name was stored only in the frontend directory, which the frontend can delete. So store the name in the backend too. (Ideally we would store it in /libxl, where the backend can't write to it either, but libxl__device_console_add not currently have access to the xenstore transaction used by libxl__device_generic_add. Protection against the backend will come later, in XSA-178.) Because the libxl paths are defined to be in terms of the frontend device types, not the backend device types, it is no longer correct for libxl__append_channel_list to take a type argument. Abolish this (with no functional effect). This is part of XSA-175. Signed-off-by: Ian Jackson Reviewed-by: Wei Liu --- tools/libxl/libxl.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c index c24887aa12..85c0241695 100644 --- a/tools/libxl/libxl.c +++ b/tools/libxl/libxl.c @@ -3815,6 +3815,8 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid, if (console->name) { flexarray_append(ro_front, "name"); flexarray_append(ro_front, console->name); + flexarray_append(back, "name"); + flexarray_append(back, console->name); } if (console->connection) { flexarray_append(back, "connection"); @@ -3953,34 +3955,35 @@ static int libxl__device_channel_from_xs_be(libxl__gc *gc, return rc; } -static int libxl__append_channel_list_of_type(libxl__gc *gc, +static int libxl__append_channel_list(libxl__gc *gc, uint32_t domid, - const char *type, libxl_device_channel **channels, int *nchannels) { - char *fe_path = NULL, *be_path = NULL; + char *libxl_dir_path = NULL, *be_path = NULL; char **dir = NULL; unsigned int n = 0, devid = 0; libxl_device_channel *next = NULL; int rc = 0, i; - fe_path = GCSPRINTF("%s/device/%s", - libxl__xs_get_dompath(gc, domid), type); - dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &n); + libxl_dir_path = GCSPRINTF("%s/device/console", + libxl__xs_libxl_path(gc, domid)); + dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n); if (!dir || !n) goto out; for (i = 0; i < n; i++) { - const char *p, *name; + const char *libxl_path, *name; libxl_device_channel *tmp; - p = GCSPRINTF("%s/%s", fe_path, dir[i]); - name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", p)); + libxl_path = GCSPRINTF("%s/%s", libxl_dir_path, dir[i]); + be_path = libxl__xs_read(gc, XBT_NULL, + GCSPRINTF("%s/backend", libxl_path)); + if (!be_path) continue; + name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", be_path)); /* 'channels' are consoles with names, so ignore all consoles without names */ if (!name) continue; - be_path = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/backend", p)); tmp = realloc(*channels, sizeof(libxl_device_channel) * (*nchannels + devid + 1)); if (!tmp) { @@ -4011,7 +4014,7 @@ libxl_device_channel *libxl_device_channel_list(libxl_ctx *ctx, *num = 0; - rc = libxl__append_channel_list_of_type(gc, domid, "console", &channels, num); + rc = libxl__append_channel_list(gc, domid, &channels, num); if (rc) goto out_err; GC_FREE; -- 2.39.5