1. 04 Jan, 2012 2 commits
    • Ian Campbell's avatar
      xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. · 9e7860ce
      Ian Campbell authored
      Haogang Chen found out that:
      
       There is a potential integer overflow in process_msg() that could result
       in cross-domain attack.
      
       	body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
      
       When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent
       call to xb_read() would write to a zero-length buffer.
      
       The other end of this connection is always the xenstore backend daemon
       so there is no guest (malicious or otherwise) which can do this. The
       xenstore daemon is a trusted component in the system.
      
       However this seem like a reasonable robustness improvement so we should
       have it.
      
      And Ian when read the API docs found that:
              The payload length (len field of the header) is limited to 4096
              (XENSTORE_PAYLOAD_MAX) in both directions.  If a client exceeds the
              limit, its xenstored connection will be immediately killed by
              xenstored, which is usually catastrophic from the client's point of
              view.  Clients (particularly domains, which cannot just reconnect)
              should avoid this.
      
      so this patch checks against that instead.
      
      This also avoids a potential integer overflow pointed out by Haogang Chen.
      Signed-off-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Cc: Haogang Chen <haogangchen@gmail.com>
      CC: stable@kernel.org
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      9e7860ce
    • Jan Beulich's avatar
      Xen: consolidate and simplify struct xenbus_driver instantiation · 73db144b
      Jan Beulich authored
      The 'name', 'owner', and 'mod_name' members are redundant with the
      identically named fields in the 'driver' sub-structure. Rather than
      switching each instance to specify these fields explicitly, introduce
      a macro to simplify this.
      
      Eliminate further redundancy by allowing the drvname argument to
      DEFINE_XENBUS_DRIVER() to be blank (in which case the first entry from
      the ID table will be used for .driver.name).
      
      Also eliminate the questionable xenbus_register_{back,front}end()
      wrappers - their sole remaining purpose was the checking of the
      'owner' field, proper setting of which shouldn't be an issue anymore
      when the macro gets used.
      
      v2: Restore DRV_NAME for the driver name in xen-pciback.
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      73db144b
  2. 03 Jan, 2012 1 commit
    • Julia Lawall's avatar
      xen-gntalloc: introduce missing kfree · 2e163414
      Julia Lawall authored
      Error handling code following a kmalloc should free the allocated data.
      Out_unlock is used on both success and failure, so free vm_priv before
      jumping to that label.
      
      A simplified version of the semantic match that finds the problem is as
      follows: (http://coccinelle.lip6.fr)
      
      // <smpl>
      @r exists@
      local idexpression x;
      statement S;
      identifier f1;
      position p1,p2;
      expression *ptr != NULL;
      @@
      
      x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...);
      ...
      if (x == NULL) S
      <... when != x
           when != if (...) { <+...x...+> }
      x->f1
      ...>
      (
       return \(0\|<+...x...+>\|ptr\);
      |
       return@p2 ...;
      )
      
      @script:python@
      p1 << r.p1;
      p2 << r.p2;
      @@
      
      print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line)
      // </smpl>
      Signed-off-by: default avatarJulia Lawall <julia@diku.dk>
      [v1: Altered the description a bit]
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      2e163414
  3. 21 Dec, 2011 1 commit
  4. 20 Dec, 2011 6 commits
  5. 16 Dec, 2011 11 commits
  6. 30 Nov, 2011 1 commit
  7. 24 Nov, 2011 6 commits
  8. 23 Nov, 2011 12 commits