From owner-svn-src-all@freebsd.org  Thu May 24 10:18:32 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47FF4EAAEF1;
 Thu, 24 May 2018 10:18:32 +0000 (UTC)
 (envelope-from royger@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id EA98F81FE8;
 Thu, 24 May 2018 10:18:31 +0000 (UTC)
 (envelope-from royger@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CD34C10E75;
 Thu, 24 May 2018 10:18:31 +0000 (UTC)
 (envelope-from royger@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w4OAIVpT076812;
 Thu, 24 May 2018 10:18:31 GMT (envelope-from royger@FreeBSD.org)
Received: (from royger@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w4OAIVMs076811;
 Thu, 24 May 2018 10:18:31 GMT (envelope-from royger@FreeBSD.org)
Message-Id: <201805241018.w4OAIVMs076811@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: royger set sender to
 royger@FreeBSD.org using -f
From: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= <royger@FreeBSD.org>
Date: Thu, 24 May 2018 10:18:31 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r334144 - head/sys/dev/xen/xenstore
X-SVN-Group: head
X-SVN-Commit-Author: royger
X-SVN-Commit-Paths: head/sys/dev/xen/xenstore
X-SVN-Commit-Revision: 334144
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 10:18:32 -0000

Author: royger
Date: Thu May 24 10:18:31 2018
New Revision: 334144
URL: https://svnweb.freebsd.org/changeset/base/334144

Log:
  dev/xenstore: prevent transaction hijacking
  
  The user-space xenstore device is currently lacking a check to make
  sure that the caller is only using transaction ids currently assigned
  to it. This allows users of the xenstore device to hijack transactions
  not started by them, although the scope is limited to transactions
  started by the same domain.
  
  Tested by:      Nathan Friess <nathan.friess@gmail.com>
  Sponsored by:   Citrix Systems R&D

Modified:
  head/sys/dev/xen/xenstore/xenstore_dev.c

Modified: head/sys/dev/xen/xenstore/xenstore_dev.c
==============================================================================
--- head/sys/dev/xen/xenstore/xenstore_dev.c	Thu May 24 10:18:14 2018	(r334143)
+++ head/sys/dev/xen/xenstore/xenstore_dev.c	Thu May 24 10:18:31 2018	(r334144)
@@ -214,6 +214,18 @@ xs_dev_watch_cb(struct xs_watch *watch, const char **v
 	free(payload, M_XENSTORE);
 }
 
+static struct xs_dev_transaction *
+xs_dev_find_transaction(struct xs_dev_data *u, uint32_t tx_id)
+{
+	struct xs_dev_transaction *trans;
+
+	LIST_FOREACH(trans, &u->transactions, list)
+		if (trans->handle.id == tx_id)
+			return (trans);
+
+	return (NULL);
+}
+
 static int 
 xs_dev_read(struct cdev *dev, struct uio *uio, int ioflag)
 {
@@ -281,6 +293,12 @@ xs_dev_write(struct cdev *dev, struct uio *uio, int io
 	case XS_MKDIR:
 	case XS_RM:
 	case XS_SET_PERMS:
+		/* Check that this transaction id is not hijacked. */
+		if (u->u.msg.tx_id != 0 &&
+		    xs_dev_find_transaction(u, u->u.msg.tx_id) == NULL) {
+			error = EINVAL;
+			break;
+		}
 		error = xs_dev_request_and_reply(&u->u.msg, &reply);
 		if (!error) {
 			if (u->u.msg.type == XS_TRANSACTION_START) {
@@ -289,12 +307,10 @@ xs_dev_write(struct cdev *dev, struct uio *uio, int io
 				trans->handle.id = strtoul(reply, NULL, 0);
 				LIST_INSERT_HEAD(&u->transactions, trans, list);
 			} else if (u->u.msg.type == XS_TRANSACTION_END) {
-				LIST_FOREACH(trans, &u->transactions, list)
-					if (trans->handle.id == u->u.msg.tx_id)
-						break;
-#if 0 /* XXX does this mean the list is empty? */
-				BUG_ON(&trans->list == &u->transactions);
-#endif
+				trans = xs_dev_find_transaction(u,
+				    u->u.msg.tx_id);
+				KASSERT(trans != NULL,
+				    ("Unable to find transaction"));
 				LIST_REMOVE(trans, list);
 				free(trans, M_XENSTORE);
 			}