]>
Commit | Line | Data |
---|---|---|
18a2513c GKH |
1 | From foo@baz Tue Nov 28 10:56:34 CET 2017 |
2 | From: Juergen Gross <jgross@suse.com> | |
3 | Date: Thu, 22 Dec 2016 08:19:46 +0100 | |
4 | Subject: xen: xenbus driver must not accept invalid transaction ids | |
5 | ||
6 | From: Juergen Gross <jgross@suse.com> | |
7 | ||
8 | ||
9 | [ Upstream commit 639b08810d6ad74ded2c5f6e233c4fcb9d147168 ] | |
10 | ||
11 | When accessing Xenstore in a transaction the user is specifying a | |
12 | transaction id which he normally obtained from Xenstore when starting | |
13 | the transaction. Xenstore is validating a transaction id against all | |
14 | known transaction ids of the connection the request came in. As all | |
15 | requests of a domain not being the one where Xenstore lives share | |
16 | one connection, validation of transaction ids of different users of | |
17 | Xenstore in that domain should be done by the kernel of that domain | |
18 | being the multiplexer between the Xenstore users in that domain and | |
19 | Xenstore. | |
20 | ||
21 | In order to prohibit one Xenstore user "hijacking" a transaction from | |
22 | another user the xenbus driver has to verify a given transaction id | |
23 | against all known transaction ids of the user before forwarding it to | |
24 | Xenstore. | |
25 | ||
26 | Signed-off-by: Juergen Gross <jgross@suse.com> | |
27 | Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> | |
28 | Signed-off-by: Juergen Gross <jgross@suse.com> | |
29 | Signed-off-by: Sasha Levin <alexander.levin@verizon.com> | |
30 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
31 | --- | |
32 | drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- | |
33 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
34 | ||
35 | --- a/drivers/xen/xenbus/xenbus_dev_frontend.c | |
36 | +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c | |
37 | @@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi | |
38 | rc = -ENOMEM; | |
39 | goto out; | |
40 | } | |
41 | - } else if (msg_type == XS_TRANSACTION_END) { | |
42 | + } else if (u->u.msg.tx_id != 0) { | |
43 | list_for_each_entry(trans, &u->transactions, list) | |
44 | if (trans->handle.id == u->u.msg.tx_id) | |
45 | break; |