[PATCH] xen: xenbus_dev_frontend: Really return response string

From: Simon Gaiser
Date: Wed Mar 14 2018 - 23:08:48 EST

Next message: Shawn Guo: "Re: [PATCH v2 1/2] soc: imx: gpcv2: Do not pass static memory as platform data"
Previous message: Dou Liyang: "[RFC PATCH v2] ACPI / processor: Fix possible CPUs map"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

xenbus_command_reply() did not actually copy the response string and
leaked stack content instead.

Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc")
Signed-off-by: Simon Gaiser <simon@xxxxxxxxxxxxxxxxxxxxxx>
---

PS: AFAICS this is not a security issue since /dev/xen/xenbus is
normally only accessible by root and giving xenstore access to a less
trusted entity probably has a bunch of other unintended consequences.

drivers/xen/xenbus/xenbus_dev_frontend.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index a493e99bed21..845a70fa7f79 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -403,7 +403,7 @@ static int xenbus_command_reply(struct xenbus_file_priv *u,
{
struct {
struct xsd_sockmsg hdr;
- const char body[16];
+ char body[16];
} msg;
int rc;

@@ -412,6 +412,7 @@ static int xenbus_command_reply(struct xenbus_file_priv *u,
msg.hdr.len = strlen(reply) + 1;
if (msg.hdr.len > sizeof(msg.body))
return -E2BIG;
+ memcpy(&msg.body, reply, msg.hdr.len);

mutex_lock(&u->reply_mutex);
rc = queue_reply(&u->read_buffers, &msg, sizeof(msg.hdr) + msg.hdr.len);
--
2.16.2

Next message: Shawn Guo: "Re: [PATCH v2 1/2] soc: imx: gpcv2: Do not pass static memory as platform data"
Previous message: Dou Liyang: "[RFC PATCH v2] ACPI / processor: Fix possible CPUs map"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]