On Thu, May 08, 2025 at 06:01:56PM +0100, Ross Lagerwall wrote:
> From: Kevin Lampis <kevin.lam...@cloud.com>
>
> The livepatch list sysctl writes metadata into a buffer provided by the
> caller. The caller is expected to allocate an appropriately sized buffer
> but this is racy and may result in Xen writing beyond the end of the
> buffer should the metadata size change.
>
> The name buffer is expected to be an array of elements with size
> XEN_LIVEPATCH_NAME_SIZE to avoid this kind of race but the xen-livepatch
> tool allocates only as many bytes as needed, therefore encountering the
> same potential race condition.
>
> Fix both these issues by requiring the caller to pass in the size of the
> name and metadata buffers and then not writing beyond the allocated
> size.
>
> The sysctl interface version is bumped due to the change in semantics of
> the fields.
I would be tempted to add:
Fixes: b145b4a39c13 ('livepatch: Handle arbitrary size names with the list
operation')
Fixes: 5083e0ff939d ('livepatch: Add metadata runtime retrieval mechanism')
As the current approach can easily lead to buffer overruns in guest
memory, as Xen doesn't know the size.
>
> Signed-off-by: Kevin Lampis <kevin.lam...@cloud.com>
> Signed-off-by: Ross Lagerwall <ross.lagerw...@citrix.com>
Reviewed-by: Roger Pau Monné <roger....@citrix.com>
Thanks, Roger.
