From mboxrd@z Thu Jan  1 00:00:00 1970
From: Gerd Hoffmann <kraxel@redhat.com>
Subject: [patch] fix xenstored
Date: Thu, 26 Feb 2009 20:40:27 +0100
Message-ID: <49A6F02B.6060801@redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------060008070101080704060509"
Return-path: <xen-devel-bounces@lists.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Xen Development Mailing List <xen-devel@lists.xensource.com>
List-Id: xen-devel@lists.xenproject.org

This is a multi-part message in MIME format.
--------------060008070101080704060509
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

  Hi,

There is a use-after-free bug in xenstored.

Problem:  Handling requests for one connection can not only zap the
connection itself, due to socket disconnects for example.  It can also
zap *other* connections, due to domain release requests.  Especially it
can zap the connection we have saved a pointer to in the "next" variable.

The attached patch fixes it by adjusting the reference counting.

please apply,

  Gerd

--------------060008070101080704060509
Content-Type: text/plain;
 name="xenstored-crash.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="xenstored-crash.diff"

diff -r 8417ddc981b4 tools/xenstore/xenstored_core.c
--- a/tools/xenstore/xenstored_core.c	Mon Jan 05 11:10:54 2009 +0000
+++ b/tools/xenstore/xenstored_core.c	Thu Feb 26 18:22:31 2009 +0100
@@ -1937,14 +1937,17 @@
 			handle_event();
 
 		next = list_entry(connections.next, typeof(*conn), list);
+		if (&next->list != &connections)
+			talloc_increase_ref_count(next);
 		while (&next->list != &connections) {
 			conn = next;
 
 			next = list_entry(conn->list.next,
 					  typeof(*conn), list);
+			if (&next->list != &connections)
+				talloc_increase_ref_count(next);
 
 			if (conn->domain) {
-				talloc_increase_ref_count(conn);
 				if (domain_can_read(conn))
 					handle_input(conn);
 				if (talloc_free(conn) == 0)
@@ -1957,7 +1960,6 @@
 				if (talloc_free(conn) == 0)
 					continue;
 			} else {
-				talloc_increase_ref_count(conn);
 				if (FD_ISSET(conn->fd, &inset))
 					handle_input(conn);
 				if (talloc_free(conn) == 0)

--------------060008070101080704060509
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--------------060008070101080704060509--