Hi,
Apologies for the late answer, I missed the e-mail in my inbox.
On 10/27/2017 05:37 PM, Ian Jackson wrote:
Pawel Wieczorkiewicz writes ("[PATCH] tools/xenstored: Check number of strings
passed to do_control()"):
It is possible to send a zero-string message body to xenstore's
XS_CONTROL handling function. Then the number of strings is used
for an array allocation. This leads to a crash in strcmp() in a
CONTROL sub-command invocation loop.
The output of xs_count_string() should be verified and all 0 or
negative values should be rejected with an EINVAL. At least the
sub-command name must be specified.
The xenstore crash can only be triggered from within dom0 (there
is a check in do_control() rejecting all non-dom0 requests with
an EACCES).
Acked-by: Ian Jackson <ian.jack...@eu.citrix.com>
(Added the for-4.10 tag to the Subject.)
Release-acked-by: Julien Grall <julien.gr...@linaro.org>
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
