From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Thu, 5 May 2016 15:17:26 +0000 (+0100)
Subject: libxl: Do not trust backend for vusb
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~1036
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=2538aaa238aef15ade4e8a77db84691aea265693;p=xen.git

libxl: Do not trust backend for vusb

Read the type from /libxl, rather than the backend.  (We still trust
the backend for details such as the number of ports, etc.; these are
not a security problem.)

In getinfo, use the computed frontend path, and the incoming domid,
rather than needlessly reading these values from the backend.

This is part of XSA-178.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
---
v2: New patch following rebase.
---

diff --git a/tools/libxl/libxl_pvusb.c b/tools/libxl/libxl_pvusb.c
index 7af7e4d0f7..58cf21cb04 100644
--- a/tools/libxl/libxl_pvusb.c
+++ b/tools/libxl/libxl_pvusb.c
@@ -401,7 +401,7 @@ libxl_device_usbctrl_list(libxl_ctx *ctx, uint32_t domid, int *num)
             if (ret) goto out;
             usbctrl->version = READ_SUBPATH_INT(be_path, "usb-ver");
             usbctrl->ports = READ_SUBPATH_INT(be_path, "num-ports");
-            libxl_usbctrl_type_from_string(READ_SUBPATH(be_path, "type"),
+            libxl_usbctrl_type_from_string(READ_SUBPATH(libxl_path, "type"),
                                            &usbctrl->type);
 
 #undef READ_SUBPATH
@@ -459,12 +459,11 @@ int libxl_device_usbctrl_getinfo(libxl_ctx *ctx, uint32_t domid,
     usbctrlinfo->evtch = READ_SUBPATH_INT(fe_path, "event-channel");
     usbctrlinfo->ref_urb = READ_SUBPATH_INT(fe_path, "urb-ring-ref");
     usbctrlinfo->ref_conn = READ_SUBPATH_INT(fe_path, "urb-ring-ref");
-    tmp = READ_SUBPATH(be_path, "frontend");
-    usbctrlinfo->frontend = libxl__strdup(NOGC, tmp);
-    usbctrlinfo->frontend_id = READ_SUBPATH_INT(be_path, "frontend-id");
+    usbctrlinfo->frontend = libxl__strdup(NOGC, fe_path);
+    usbctrlinfo->frontend_id = domid;
     usbctrlinfo->ports = READ_SUBPATH_INT(be_path, "num-ports");
     usbctrlinfo->version = READ_SUBPATH_INT(be_path, "usb-ver");;
-    tmp = READ_SUBPATH(be_path, "type");
+    tmp = READ_SUBPATH(libxl_path, "type");
     libxl_usbctrl_type_from_string(tmp, &usbctrlinfo->type);
 
 #undef READ_SUBPATH