From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH] x86/hvm: Fix use-after-free introduced by c/s 428607a Date: Tue, 2 Feb 2016 10:57:28 +0000 Message-ID: <56B08B98.4070303@citrix.com> References: <1454349419-18430-1-git-send-email-andrew.cooper3@citrix.com> <56B0964502000078000CD620@prv-mh.provo.novell.com> <56B08980.8060607@citrix.com> <56B0988F02000078000CD647@prv-mh.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <56B0988F02000078000CD647@prv-mh.provo.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: Xen-devel , Corneliu ZUZU List-Id: xen-devel@lists.xenproject.org On 02/02/16 10:52, Jan Beulich wrote: >>>> On 02.02.16 at 11:48, wrote: >> On 02/02/16 10:43, Jan Beulich wrote: >>>>>> On 01.02.16 at 18:56, wrote: >>>> For safety, NULL out the pointers after freeing them, in an attempt to make >>>> mistakes more obvious in the future. >>> Except that NULLing isn't really adding that much safety, and we'd >>> be better off poisoning such pointers. Nevertheless ... >> NULLing the pointers would cause things like rtc_deinit() to always blow >> up when it followed the NULL pointer. >> >> IMO, we should unconditionally always NULL pointers when freeing a >> pointer which isn't in local scope. It would make issues such as these >> completely obvious. > As would poisoning the pointers, yet poisoning has the advantage > of not allowing PV guests to control what the hypervisor might > access when erroneously de-referencing such a pointer. Hmm. If we taught xfree() about this poisoned value and it treated it just as it would NULL, then this would work. I will put it on my todo list, unless anyone else beats me to it. ~Andrew