1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
From e4c0f9b55819194a501e3ecae6b12188a2db1d01 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Tue, 3 May 2016 16:31:07 +0100
Subject: [PATCH 10/10] libxl: Do not trust frontend for nic in getinfo
libxl_device_nic_getinfo needs to examine devices without trusting
frontend-controlled data. So:
* Use /libxl to find the backend path.
* Parse the backend path to find the backend domid, rather than
reading it from the frontend.
This is part of XSA-175.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
---
tools/libxl/libxl.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index 7a8faba..c794d3a 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -3155,22 +3155,27 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid,
libxl_device_nic *nic, libxl_nicinfo *nicinfo)
{
GC_INIT(ctx);
- char *dompath, *nicpath;
+ char *dompath, *nicpath, *libxl_path;
char *val;
+ int rc;
dompath = libxl__xs_get_dompath(gc, domid);
nicinfo->devid = nic->devid;
- nicpath = libxl__sprintf(gc, "%s/device/vif/%d", dompath, nicinfo->devid);
+ nicpath = GCSPRINTF("%s/device/vif/%d", dompath, nicinfo->devid);
+ libxl_path = GCSPRINTF("%s/device/vif/%d",
+ libxl__xs_libxl_path(gc, domid), nicinfo->devid);
nicinfo->backend = xs_read(ctx->xsh, XBT_NULL,
- libxl__sprintf(gc, "%s/backend", nicpath), NULL);
+ GCSPRINTF("%s/backend", libxl_path), NULL);
if (!nicinfo->backend) {
GC_FREE;
return ERROR_FAIL;
}
- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", nicpath));
- nicinfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", nicpath));
+ rc = libxl__backendpath_parse_domid(gc, nicinfo->backend,
+ &nicinfo->backend_id);
+ if (rc) goto out;
+
+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", nicpath));
nicinfo->state = val ? strtoul(val, NULL, 10) : -1;
val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", nicpath));
nicinfo->evtch = val ? strtoul(val, NULL, 10) : -1;
@@ -3183,8 +3188,10 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid,
val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", nicinfo->backend));
nicinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
+ rc = 0;
+ out:
GC_FREE;
- return 0;
+ return rc;
}
const char *libxl__device_nic_devname(libxl__gc *gc,
--
2.1.4
|
