From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Tue, 3 May 2016 14:58:32 +0000 (+0100)
Subject: libxl: Do not trust frontend for vtpm list
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~1060
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22%22/%22http:/www.example.com/cgi/%22https:/%22%22?a=commitdiff_plain;h=0527125a6aae58a7eee8078184fced49dc2422ef;p=xen.git

libxl: Do not trust frontend for vtpm list

libxl_device_vtpm_list needs to enumerate and identify devices without
trusting frontend-controlled data.  So

* Use the /libxl path to enumerate vtpms.
* Use the /libxl path to find the corresponding backends.
* Parse the backend path to find the backend domid.

This is part of XSA-175.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
---

diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index d2b1799faf..c8ad33ca7d 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -2176,14 +2176,15 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n
     GC_INIT(ctx);
 
     libxl_device_vtpm* vtpms = NULL;
-    char* fe_path = NULL;
+    char *libxl_path;
     char** dir = NULL;
     unsigned int ndirs = 0;
+    int rc;
 
     *num = 0;
 
-    fe_path = GCSPRINTF("%s/device/vtpm", libxl__xs_get_dompath(gc, domid));
-    dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &ndirs);
+    libxl_path = GCSPRINTF("%s/device/vtpm", libxl__xs_libxl_path(gc, domid));
+    dir = libxl__xs_directory(gc, XBT_NULL, libxl_path, &ndirs);
     if (dir && ndirs) {
        vtpms = malloc(sizeof(*vtpms) * ndirs);
        libxl_device_vtpm* vtpm;
@@ -2192,16 +2193,15 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n
           char* tmp;
           const char* be_path = libxl__xs_read(gc, XBT_NULL,
                 GCSPRINTF("%s/%s/backend",
-                   fe_path, *dir));
+                   libxl_path, *dir));
 
           libxl_device_vtpm_init(vtpm);
 
           vtpm->devid = atoi(*dir);
 
-          tmp = libxl__xs_read(gc, XBT_NULL,
-                GCSPRINTF("%s/%s/backend-id",
-                   fe_path, *dir));
-          vtpm->backend_domid = atoi(tmp);
+          rc = libxl__backendpath_parse_domid(gc, be_path,
+                                              &vtpm->backend_domid);
+          if (rc) return NULL;
 
           tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", be_path));
           if (tmp) {