Hi Juergen,
On 10/05/2021 08:49, Juergen Gross wrote:
On 06.05.21 18:12, Julien Grall wrote:
From: Julien Grall <jgr...@amazon.com>
ASAN reported one issue when Live Updating Xenstored:
=================================================================
==873==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc194f53e0 at pc 0x555c6b323292 bp 0x7ffc194f5340 sp 0x7ffc194f5338
WRITE of size 1 at 0x7ffc194f53e0 thread T0
#0 0x555c6b323291 in dump_state_node_perms
xen/tools/xenstore/xenstored_core.c:2468
#1 0x555c6b32746e in dump_state_special_node
xen/tools/xenstore/xenstored_domain.c:1257
#2 0x555c6b32a702 in dump_state_special_nodes
xen/tools/xenstore/xenstored_domain.c:1273
#3 0x555c6b32ddb3 in lu_dump_state
xen/tools/xenstore/xenstored_control.c:521
#4 0x555c6b32e380 in do_lu_start
xen/tools/xenstore/xenstored_control.c:660
#5 0x555c6b31b461 in call_delayed
xen/tools/xenstore/xenstored_core.c:278
#6 0x555c6b32275e in main xen/tools/xenstore/xenstored_core.c:2357
#7 0x7f95eecf3d09 in __libc_start_main ../csu/libc-start.c:308
#8 0x555c6b3197e9 in _start (/usr/local/sbin/xenstored+0xc7e9)
Address 0x7ffc194f53e0 is located in stack of thread T0 at offset 80
in frame
#0 0x555c6b32713e in dump_state_special_node
xen/tools/xenstore/xenstored_domain.c:1232
This frame has 2 object(s):
[32, 40) 'head' (line 1233)
[64, 80) 'sn' (line 1234) <== Memory access at offset 80
overflows this variable
This is happening because the callers are passing a pointer to a variable
allocated on the stack. However, the field perms is a dynamic array, so
Xenstored will end up to read outside of the variable.
Rework the code so the permissions are written one by one in the fd.
Fixes: ed6eebf17d2c ("tools/xenstore: dump the xenstore state for live
update")
Signed-off-by: Julien Grall <jgr...@amazon.com>
Reviewed-by: Juergen Gross <jgr...@suse.com>
Committed.
Cheers,
--
Julien Grall
