diff options
Diffstat (limited to '0084-tools-xenstore-fix-deleting-node-in-transaction.patch')
-rw-r--r-- | 0084-tools-xenstore-fix-deleting-node-in-transaction.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/0084-tools-xenstore-fix-deleting-node-in-transaction.patch b/0084-tools-xenstore-fix-deleting-node-in-transaction.patch new file mode 100644 index 0000000..4ab044c --- /dev/null +++ b/0084-tools-xenstore-fix-deleting-node-in-transaction.patch @@ -0,0 +1,46 @@ +From 4305807dfdc183f4acd170fe00eb66b338fa6430 Mon Sep 17 00:00:00 2001 +From: Juergen Gross <jgross@suse.com> +Date: Tue, 13 Sep 2022 07:35:13 +0200 +Subject: [PATCH 84/87] tools/xenstore: fix deleting node in transaction + +In case a node has been created in a transaction and it is later +deleted in the same transaction, the transaction will be terminated +with an error. + +As this error is encountered only when handling the deleted node at +transaction finalization, the transaction will have been performed +partially and without updating the accounting information. This will +enable a malicious guest to create arbitrary number of nodes. + +This is part of XSA-421 / CVE-2022-42325. + +Signed-off-by: Juergen Gross <jgross@suse.com> +Tested-by: Julien Grall <jgrall@amazon.com> +Reviewed-by: Julien Grall <jgrall@amazon.com> +(cherry picked from commit 13ac37f1416cae88d97f7baf6cf2a827edb9a187) +--- + tools/xenstore/xenstored_transaction.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/xenstore/xenstored_transaction.c b/tools/xenstore/xenstored_transaction.c +index 3e3eb47326cc..7ffe21bb5285 100644 +--- a/tools/xenstore/xenstored_transaction.c ++++ b/tools/xenstore/xenstored_transaction.c +@@ -418,7 +418,13 @@ static int finalize_transaction(struct connection *conn, + true); + talloc_free(data.dptr); + } else { +- ret = do_tdb_delete(conn, &key, NULL); ++ /* ++ * A node having been created and later deleted ++ * in this transaction will have no generation ++ * information stored. ++ */ ++ ret = (i->generation == NO_GENERATION) ++ ? 0 : do_tdb_delete(conn, &key, NULL); + } + if (ret) + goto err; +-- +2.37.4 + |