| From foo@baz Tue Nov 28 10:58:31 CET 2017 |
| From: Juergen Gross <jgross@suse.com> |
| Date: Thu, 22 Dec 2016 08:19:46 +0100 |
| Subject: xen: xenbus driver must not accept invalid transaction ids |
| |
| From: Juergen Gross <jgross@suse.com> |
| |
| |
| [ Upstream commit 639b08810d6ad74ded2c5f6e233c4fcb9d147168 ] |
| |
| When accessing Xenstore in a transaction the user is specifying a |
| transaction id which he normally obtained from Xenstore when starting |
| the transaction. Xenstore is validating a transaction id against all |
| known transaction ids of the connection the request came in. As all |
| requests of a domain not being the one where Xenstore lives share |
| one connection, validation of transaction ids of different users of |
| Xenstore in that domain should be done by the kernel of that domain |
| being the multiplexer between the Xenstore users in that domain and |
| Xenstore. |
| |
| In order to prohibit one Xenstore user "hijacking" a transaction from |
| another user the xenbus driver has to verify a given transaction id |
| against all known transaction ids of the user before forwarding it to |
| Xenstore. |
| |
| Signed-off-by: Juergen Gross <jgross@suse.com> |
| Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> |
| Signed-off-by: Juergen Gross <jgross@suse.com> |
| Signed-off-by: Sasha Levin <alexander.levin@verizon.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/xen/xenbus/xenbus_dev_frontend.c |
| +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c |
| @@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi |
| rc = -ENOMEM; |
| goto out; |
| } |
| - } else if (msg_type == XS_TRANSACTION_END) { |
| + } else if (u->u.msg.tx_id != 0) { |
| list_for_each_entry(trans, &u->transactions, list) |
| if (trans->handle.id == u->u.msg.tx_id) |
| break; |