From mboxrd@z Thu Jan  1 00:00:00 1970
From: Gerd Hoffmann <kraxel@redhat.com>
Subject: [patch] Fix use-after-free in xenconsoled.
Date: Thu, 01 Nov 2007 14:59:58 +0100
Message-ID: <4729DBDE.9080507@redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------060408020603030301090102"
Return-path: <xen-devel-bounces@lists.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Xen Development Mailing List <xen-devel@lists.xensource.com>
List-Id: xen-devel@lists.xenproject.org

This is a multi-part message in MIME format.
--------------060408020603030301090102
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

  Hi,

shutdown_domain() MUST NOT call cleanup_domain(), just flagging them as
dead is enough.  cleanup_domains() for dead domains is called by the
mainloop in handle_io() in a safe way already.

shutdown_domain() calling cleanup_domain() too leads struct domain being
accessed after freeing and to a double-free.

Fixed by simply dropping the cleanup_domain() call and by making the
functions called by the main loop in handle_io() ignore dead domains.

please apply,

  Gerd

--------------060408020603030301090102
Content-Type: text/plain;
 name="fix"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="fix"

Fix use-after-free in xenconsoled.

shutdown_domain() MUST NOT call cleanup_domain(), just flagging them as
dead is enough.  cleanup_domains() for dead domains is called by the main
loop in handle_io() in a safe way already.

shutdown_domain() calling cleanup_domain() too leads struct domain being
accessed after freeing and to a double-free.

Fixed by simply dropping the cleanup_domain() call and by making the
functions called by the main loop in handle_io() ignore dead domains.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
diff -r c0b0974fb055 tools/console/daemon/io.c
--- a/tools/console/daemon/io.c	Fri May 18 16:59:32 2007 +0100
+++ b/tools/console/daemon/io.c	Thu Nov 01 14:47:49 2007 +0100
@@ -467,7 +467,6 @@ static void shutdown_domain(struct domai
 	if (d->xce_handle != -1)
 		xc_evtchn_close(d->xce_handle);
 	d->xce_handle = -1;
-	cleanup_domain(d);
 }
 
 void enum_domains(void)
@@ -513,6 +512,9 @@ static void handle_tty_read(struct domai
 	struct xencons_interface *intf = dom->interface;
 	XENCONS_RING_IDX prod;
 
+	if (dom->is_dead)
+		return;
+
 	len = ring_free_bytes(dom);
 	if (len == 0)
 		return;
@@ -550,6 +552,9 @@ static void handle_tty_write(struct doma
 {
 	ssize_t len;
 
+	if (dom->is_dead)
+		return;
+
 	len = write(dom->tty_fd, dom->buffer.data + dom->buffer.consumed,
 		    dom->buffer.size - dom->buffer.consumed);
  	if (len < 1) {
@@ -572,6 +577,9 @@ static void handle_ring_read(struct doma
 static void handle_ring_read(struct domain *dom)
 {
 	evtchn_port_t port;
+
+	if (dom->is_dead)
+		return;
 
 	if ((port = xc_evtchn_pending(dom->xce_handle)) == -1)
 		return;

--------------060408020603030301090102
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--------------060408020603030301090102--