diff options
| author |   Florian Schmaus <flow@gentoo.org> | 2022-11-09 09:53:02 +0100 |
|---|---|---|
| committer | Florian Schmaus <flow@gentoo.org> | 2022-11-09 09:53:02 +0100 |
| commit | fac86a27853d2f21c62fefcba9cca32e3b9bdcdc (patch) | |
| tree | 57acbe9aadcfdb2594eec2e21f1bab81bd104235 /0084-tools-xenstore-fix-deleting-node-in-transaction.patch | |
| parent | Xen 4.16.3-pre-patchset-0 (diff) | |
| download | xen-upstream-patches-fac86a27853d2f21c62fefcba9cca32e3b9bdcdc.tar.gz xen-upstream-patches-fac86a27853d2f21c62fefcba9cca32e3b9bdcdc.tar.bz2 xen-upstream-patches-fac86a27853d2f21c62fefcba9cca32e3b9bdcdc.zip | |
Xen 4.16.3-pre-patchset-14.16.3-pre-patchset-1
Signed-off-by: Florian Schmaus <flow@gentoo.org>
Diffstat (limited to '0084-tools-xenstore-fix-deleting-node-in-transaction.patch')
| -rw-r--r-- | 0084-tools-xenstore-fix-deleting-node-in-transaction.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/0084-tools-xenstore-fix-deleting-node-in-transaction.patch b/0084-tools-xenstore-fix-deleting-node-in-transaction.patch new file mode 100644 index 0000000..4ab044c --- /dev/null +++ b/0084-tools-xenstore-fix-deleting-node-in-transaction.patch @@ -0,0 +1,46 @@ +From 4305807dfdc183f4acd170fe00eb66b338fa6430 Mon Sep 17 00:00:00 2001 +From: Juergen Gross <jgross@suse.com> +Date: Tue, 13 Sep 2022 07:35:13 +0200 +Subject: [PATCH 84/87] tools/xenstore: fix deleting node in transaction + +In case a node has been created in a transaction and it is later +deleted in the same transaction, the transaction will be terminated +with an error. + +As this error is encountered only when handling the deleted node at +transaction finalization, the transaction will have been performed +partially and without updating the accounting information. This will +enable a malicious guest to create arbitrary number of nodes. + +This is part of XSA-421 / CVE-2022-42325. + +Signed-off-by: Juergen Gross <jgross@suse.com> +Tested-by: Julien Grall <jgrall@amazon.com> +Reviewed-by: Julien Grall <jgrall@amazon.com> +(cherry picked from commit 13ac37f1416cae88d97f7baf6cf2a827edb9a187) +--- + tools/xenstore/xenstored_transaction.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/xenstore/xenstored_transaction.c b/tools/xenstore/xenstored_transaction.c +index 3e3eb47326cc..7ffe21bb5285 100644 +--- a/tools/xenstore/xenstored_transaction.c ++++ b/tools/xenstore/xenstored_transaction.c +@@ -418,7 +418,13 @@ static int finalize_transaction(struct connection *conn, + true); + talloc_free(data.dptr); + } else { +- ret = do_tdb_delete(conn, &key, NULL); ++ /* ++ * A node having been created and later deleted ++ * in this transaction will have no generation ++ * information stored. ++ */ ++ ret = (i->generation == NO_GENERATION) ++ ? 0 : do_tdb_delete(conn, &key, NULL); + } + if (ret) + goto err; +-- +2.37.4 + |