1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
|
From d08cdf0b19daf948a6b9754e90de9bc304bcd262 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Tue, 13 Sep 2022 07:35:07 +0200
Subject: [PATCH 49/87] tools/xenstore: let unread watch events time out
A future modification will limit the number of outstanding requests
for a domain, where "outstanding" means that the response of the
request or any resulting watch event hasn't been consumed yet.
In order to avoid a malicious guest being capable to block other guests
by not reading watch events, add a timeout for watch events. In case a
watch event hasn't been consumed after this timeout, it is being
deleted. Set the default timeout to 20 seconds (a random value being
not too high).
In order to support to specify other timeout values in future, use a
generic command line option for that purpose:
--timeout|-w watch-event=<seconds>
This is part of XSA-326 / CVE-2022-42311.
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
(cherry picked from commit 5285dcb1a5c01695c11e6397c95d906b5e765c98)
---
tools/xenstore/xenstored_core.c | 133 +++++++++++++++++++++++++++++++-
tools/xenstore/xenstored_core.h | 6 ++
2 files changed, 138 insertions(+), 1 deletion(-)
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index bf2243873901..45244c021cd3 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -108,6 +108,8 @@ int quota_max_transaction = 10;
int quota_nb_perms_per_node = 5;
int quota_max_path_len = XENSTORE_REL_PATH_MAX;
+unsigned int timeout_watch_event_msec = 20000;
+
void trace(const char *fmt, ...)
{
va_list arglist;
@@ -211,19 +213,92 @@ void reopen_log(void)
}
}
+static uint64_t get_now_msec(void)
+{
+ struct timespec now_ts;
+
+ if (clock_gettime(CLOCK_MONOTONIC, &now_ts))
+ barf_perror("Could not find time (clock_gettime failed)");
+
+ return now_ts.tv_sec * 1000 + now_ts.tv_nsec / 1000000;
+}
+
static void free_buffered_data(struct buffered_data *out,
struct connection *conn)
{
+ struct buffered_data *req;
+
list_del(&out->list);
+
+ /*
+ * Update conn->timeout_msec with the next found timeout value in the
+ * queued pending requests.
+ */
+ if (out->timeout_msec) {
+ conn->timeout_msec = 0;
+ list_for_each_entry(req, &conn->out_list, list) {
+ if (req->timeout_msec) {
+ conn->timeout_msec = req->timeout_msec;
+ break;
+ }
+ }
+ }
+
talloc_free(out);
}
+static void check_event_timeout(struct connection *conn, uint64_t msecs,
+ int *ptimeout)
+{
+ uint64_t delta;
+ struct buffered_data *out, *tmp;
+
+ if (!conn->timeout_msec)
+ return;
+
+ delta = conn->timeout_msec - msecs;
+ if (conn->timeout_msec <= msecs) {
+ delta = 0;
+ list_for_each_entry_safe(out, tmp, &conn->out_list, list) {
+ /*
+ * Only look at buffers with timeout and no data
+ * already written to the ring.
+ */
+ if (out->timeout_msec && out->inhdr && !out->used) {
+ if (out->timeout_msec > msecs) {
+ conn->timeout_msec = out->timeout_msec;
+ delta = conn->timeout_msec - msecs;
+ break;
+ }
+
+ /*
+ * Free out without updating conn->timeout_msec,
+ * as the update is done in this loop already.
+ */
+ out->timeout_msec = 0;
+ trace("watch event path %s for domain %u timed out\n",
+ out->buffer, conn->id);
+ free_buffered_data(out, conn);
+ }
+ }
+ if (!delta) {
+ conn->timeout_msec = 0;
+ return;
+ }
+ }
+
+ if (*ptimeout == -1 || *ptimeout > delta)
+ *ptimeout = delta;
+}
+
void conn_free_buffered_data(struct connection *conn)
{
struct buffered_data *out;
while ((out = list_top(&conn->out_list, struct buffered_data, list)))
free_buffered_data(out, conn);
+
+ conn->timeout_msec = 0;
}
static bool write_messages(struct connection *conn)
@@ -411,6 +486,7 @@ static void initialize_fds(int *p_sock_pollfd_idx, int *ptimeout)
{
struct connection *conn;
struct wrl_timestampt now;
+ uint64_t msecs;
if (fds)
memset(fds, 0, sizeof(struct pollfd) * current_array_size);
@@ -431,10 +507,12 @@ static void initialize_fds(int *p_sock_pollfd_idx, int *ptimeout)
wrl_gettime_now(&now);
wrl_log_periodic(now);
+ msecs = get_now_msec();
list_for_each_entry(conn, &connections, list) {
if (conn->domain) {
wrl_check_timeout(conn->domain, now, ptimeout);
+ check_event_timeout(conn, msecs, ptimeout);
if (conn_can_read(conn) ||
(conn_can_write(conn) &&
!list_empty(&conn->out_list)))
@@ -794,6 +872,7 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type,
return;
bdata->inhdr = true;
bdata->used = 0;
+ bdata->timeout_msec = 0;
if (len <= DEFAULT_BUFFER_SIZE)
bdata->buffer = bdata->default_buffer;
@@ -845,6 +924,12 @@ void send_event(struct connection *conn, const char *path, const char *token)
bdata->hdr.msg.type = XS_WATCH_EVENT;
bdata->hdr.msg.len = len;
+ if (timeout_watch_event_msec && domain_is_unprivileged(conn)) {
+ bdata->timeout_msec = get_now_msec() + timeout_watch_event_msec;
+ if (!conn->timeout_msec)
+ conn->timeout_msec = bdata->timeout_msec;
+ }
+
/* Queue for later transmission. */
list_add_tail(&bdata->list, &conn->out_list);
}
@@ -2201,6 +2286,9 @@ static void usage(void)
" -t, --transaction <nb> limit the number of transaction allowed per domain,\n"
" -A, --perm-nb <nb> limit the number of permissions per node,\n"
" -M, --path-max <chars> limit the allowed Xenstore node path length,\n"
+" -w, --timeout <what>=<seconds> set the timeout in seconds for <what>,\n"
+" allowed timeout candidates are:\n"
+" watch-event: time a watch-event is kept pending\n"
" -R, --no-recovery to request that no recovery should be attempted when\n"
" the store is corrupted (debug only),\n"
" -I, --internal-db store database in memory, not on disk\n"
@@ -2223,6 +2311,7 @@ static struct option options[] = {
{ "transaction", 1, NULL, 't' },
{ "perm-nb", 1, NULL, 'A' },
{ "path-max", 1, NULL, 'M' },
+ { "timeout", 1, NULL, 'w' },
{ "no-recovery", 0, NULL, 'R' },
{ "internal-db", 0, NULL, 'I' },
{ "verbose", 0, NULL, 'V' },
@@ -2236,6 +2325,39 @@ int dom0_domid = 0;
int dom0_event = 0;
int priv_domid = 0;
+static int get_optval_int(const char *arg)
+{
+ char *end;
+ long val;
+
+ val = strtol(arg, &end, 10);
+ if (!*arg || *end || val < 0 || val > INT_MAX)
+ barf("invalid parameter value \"%s\"\n", arg);
+
+ return val;
+}
+
+static bool what_matches(const char *arg, const char *what)
+{
+ unsigned int what_len = strlen(what);
+
+ return !strncmp(arg, what, what_len) && arg[what_len] == '=';
+}
+
+static void set_timeout(const char *arg)
+{
+ const char *eq = strchr(arg, '=');
+ int val;
+
+ if (!eq)
+ barf("quotas must be specified via <what>=<seconds>\n");
+ val = get_optval_int(eq + 1);
+ if (what_matches(arg, "watch-event"))
+ timeout_watch_event_msec = val * 1000;
+ else
+ barf("unknown timeout \"%s\"\n", arg);
+}
+
int main(int argc, char *argv[])
{
int opt;
@@ -2250,7 +2372,7 @@ int main(int argc, char *argv[])
orig_argc = argc;
orig_argv = argv;
- while ((opt = getopt_long(argc, argv, "DE:F:HNPS:t:A:M:T:RVW:U", options,
+ while ((opt = getopt_long(argc, argv, "DE:F:HNPS:t:A:M:T:RVW:w:U", options,
NULL)) != -1) {
switch (opt) {
case 'D':
@@ -2300,6 +2422,9 @@ int main(int argc, char *argv[])
quota_max_path_len = min(XENSTORE_REL_PATH_MAX,
quota_max_path_len);
break;
+ case 'w':
+ set_timeout(optarg);
+ break;
case 'e':
dom0_event = strtol(optarg, NULL, 10);
break;
@@ -2741,6 +2866,12 @@ static void add_buffered_data(struct buffered_data *bdata,
barf("error restoring buffered data");
memcpy(bdata->buffer, data, len);
+ if (bdata->hdr.msg.type == XS_WATCH_EVENT && timeout_watch_event_msec &&
+ domain_is_unprivileged(conn)) {
+ bdata->timeout_msec = get_now_msec() + timeout_watch_event_msec;
+ if (!conn->timeout_msec)
+ conn->timeout_msec = bdata->timeout_msec;
+ }
/* Queue for later transmission. */
list_add_tail(&bdata->list, &conn->out_list);
diff --git a/tools/xenstore/xenstored_core.h b/tools/xenstore/xenstored_core.h
index e7ee87825c3b..8a81fc693f01 100644
--- a/tools/xenstore/xenstored_core.h
+++ b/tools/xenstore/xenstored_core.h
@@ -27,6 +27,7 @@
#include <fcntl.h>
#include <stdbool.h>
#include <stdint.h>
+#include <time.h>
#include <errno.h>
#include "xenstore_lib.h"
@@ -67,6 +68,8 @@ struct buffered_data
char raw[sizeof(struct xsd_sockmsg)];
} hdr;
+ uint64_t timeout_msec;
+
/* The actual data. */
char *buffer;
char default_buffer[DEFAULT_BUFFER_SIZE];
@@ -118,6 +121,7 @@ struct connection
/* Buffered output data */
struct list_head out_list;
+ uint64_t timeout_msec;
/* Transaction context for current request (NULL if none). */
struct transaction *transaction;
@@ -244,6 +248,8 @@ extern int dom0_event;
extern int priv_domid;
extern int quota_nb_entry_per_domain;
+extern unsigned int timeout_watch_event_msec;
+
/* Map the kernel's xenstore page. */
void *xenbus_map(void);
void unmap_xenbus(void *interface);
--
2.37.4
|
GitWeb