blob: efa71783cddc6dd86c8648afac5f0b5c2b8d1b5e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From 2d3476effe3a9236867562f14dc26979a6527080 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Tue, 13 Sep 2022 07:35:13 +0200
Subject: [PATCH 123/126] tools/xenstore: fix deleting node in transaction
In case a node has been created in a transaction and it is later
deleted in the same transaction, the transaction will be terminated
with an error.
As this error is encountered only when handling the deleted node at
transaction finalization, the transaction will have been performed
partially and without updating the accounting information. This will
enable a malicious guest to create arbitrary number of nodes.
This is part of XSA-421 / CVE-2022-42325.
Signed-off-by: Juergen Gross <jgross@suse.com>
Tested-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
(cherry picked from commit 13ac37f1416cae88d97f7baf6cf2a827edb9a187)
---
tools/xenstore/xenstored_transaction.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/tools/xenstore/xenstored_transaction.c b/tools/xenstore/xenstored_transaction.c
index 3e3eb47326cc..7ffe21bb5285 100644
--- a/tools/xenstore/xenstored_transaction.c
+++ b/tools/xenstore/xenstored_transaction.c
@@ -418,7 +418,13 @@ static int finalize_transaction(struct connection *conn,
true);
talloc_free(data.dptr);
} else {
- ret = do_tdb_delete(conn, &key, NULL);
+ /*
+ * A node having been created and later deleted
+ * in this transaction will have no generation
+ * information stored.
+ */
+ ret = (i->generation == NO_GENERATION)
+ ? 0 : do_tdb_delete(conn, &key, NULL);
}
if (ret)
goto err;
--
2.37.4
|
GitWeb
