1. 05 1月, 2012 2 次提交
    • I
      xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. · 9e7860ce
      Ian Campbell 提交于
      Haogang Chen found out that:
      
       There is a potential integer overflow in process_msg() that could result
       in cross-domain attack.
      
       	body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
      
       When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent
       call to xb_read() would write to a zero-length buffer.
      
       The other end of this connection is always the xenstore backend daemon
       so there is no guest (malicious or otherwise) which can do this. The
       xenstore daemon is a trusted component in the system.
      
       However this seem like a reasonable robustness improvement so we should
       have it.
      
      And Ian when read the API docs found that:
              The payload length (len field of the header) is limited to 4096
              (XENSTORE_PAYLOAD_MAX) in both directions.  If a client exceeds the
              limit, its xenstored connection will be immediately killed by
              xenstored, which is usually catastrophic from the client's point of
              view.  Clients (particularly domains, which cannot just reconnect)
              should avoid this.
      
      so this patch checks against that instead.
      
      This also avoids a potential integer overflow pointed out by Haogang Chen.
      Signed-off-by: NIan Campbell <ian.campbell@citrix.com>
      Cc: Haogang Chen <haogangchen@gmail.com>
      CC: stable@kernel.org
      Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      9e7860ce
    • J
      Xen: consolidate and simplify struct xenbus_driver instantiation · 73db144b
      Jan Beulich 提交于
      The 'name', 'owner', and 'mod_name' members are redundant with the
      identically named fields in the 'driver' sub-structure. Rather than
      switching each instance to specify these fields explicitly, introduce
      a macro to simplify this.
      
      Eliminate further redundancy by allowing the drvname argument to
      DEFINE_XENBUS_DRIVER() to be blank (in which case the first entry from
      the ID table will be used for .driver.name).
      
      Also eliminate the questionable xenbus_register_{back,front}end()
      wrappers - their sole remaining purpose was the checking of the
      'owner' field, proper setting of which shouldn't be an issue anymore
      when the macro gets used.
      
      v2: Restore DRV_NAME for the driver name in xen-pciback.
      Signed-off-by: NJan Beulich <jbeulich@suse.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      73db144b
  2. 04 1月, 2012 1 次提交
    • J
      xen-gntalloc: introduce missing kfree · 2e163414
      Julia Lawall 提交于
      Error handling code following a kmalloc should free the allocated data.
      Out_unlock is used on both success and failure, so free vm_priv before
      jumping to that label.
      
      A simplified version of the semantic match that finds the problem is as
      follows: (http://coccinelle.lip6.fr)
      
      // <smpl>
      @r exists@
      local idexpression x;
      statement S;
      identifier f1;
      position p1,p2;
      expression *ptr != NULL;
      @@
      
      x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...);
      ...
      if (x == NULL) S
      <... when != x
           when != if (...) { <+...x...+> }
      x->f1
      ...>
      (
       return \(0\|<+...x...+>\|ptr\);
      |
       return@p2 ...;
      )
      
      @script:python@
      p1 << r.p1;
      p2 << r.p2;
      @@
      
      print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line)
      // </smpl>
      Signed-off-by: NJulia Lawall <julia@diku.dk>
      [v1: Altered the description a bit]
      Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      2e163414
  3. 22 12月, 2011 1 次提交
  4. 21 12月, 2011 5 次提交
  5. 20 12月, 2011 1 次提交
  6. 17 12月, 2011 11 次提交
  7. 01 12月, 2011 1 次提交
  8. 24 11月, 2011 15 次提交
  9. 23 11月, 2011 3 次提交