blkback: Fix CVE-2010-3699
authorKeir Fraser <keir@xen.org>
Thu, 25 Nov 2010 06:08:20 +0000 (22:08 -0800)
committerKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Thu, 14 Apr 2011 22:26:15 +0000 (18:26 -0400)
A guest can cause the backend driver to leak a kernel thread. Such
leaked threads hold references to the device, whichmakes the device
impossible to tear down. If shut down, the guest remains a zombie
domain, the xenwatch process hangs, and most xm commands will stop
working.

This patch tries to do the following for blkback:
    - identify/extract idempotent teardown operations,
    - add/move the invocation of said teardown operation
      right before we're about to allocate new resources in the
      Connected states.

[ linux-2.6.18-xen.hg 59f097ef181b ]

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Keir Fraser <keir@xen.org>
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
drivers/xen/blkback/xenbus.c

index a0534fc6a42891ff15f43a05877b06a642024433..031bc3d7eec3df8e9a89fd53df6e0d5b5a25dc60 100644 (file)
@@ -382,6 +382,11 @@ static void frontend_changed(struct xenbus_device *dev,
                if (dev->state == XenbusStateConnected)
                        break;
 
+               /* Enforce precondition before potential leak point.
+                * blkif_disconnect() is idempotent.
+                */
+               blkif_disconnect(be->blkif);
+
                err = connect_ring(be);
                if (err)
                        break;
@@ -399,6 +404,7 @@ static void frontend_changed(struct xenbus_device *dev,
                        break;
                /* fall through if not online */
        case XenbusStateUnknown:
+               /* implies blkif_disconnect() via blkback_remove() */
                device_unregister(&dev->dev);
                break;