projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7214cc7) | patch
tools/xenstore: Preserve bad client until they are destroyed
authorHarsha Shamsundara Havanur <havanur@amazon.com>
Tue, 15 Dec 2020 13:08:32 +0000 (14:08 +0100)
committerJan Beulich <jbeulich@suse.com>
Tue, 15 Dec 2020 13:08:32 +0000 (14:08 +0100)
commit57bbcd069b8965edef34c86893563336b4552c94
tree537042b396f4749c277bb71b67e122547af18e18tree | snapshot
parent7214cc7457a2862984039e96f21a5e03bfd16c50commit | diff
tools/xenstore: Preserve bad client until they are destroyed

XenStored will kill any connection that it thinks has misbehaved,
this is currently happening in two places:
 * In `handle_input()` if the sanity check on the ring and the message
   fails.
 * In `handle_output()` when failing to write the response in the ring.

As the domain structure is a child of the connection, XenStored will
destroy its view of the domain when killing the connection. This will
result in sending @releaseDomain event to all the watchers.

As the watch event doesn't carry which domain has been released,
the watcher (such as XenStored) will generally go through the list of
domains registers and check if one of them is shutting down/dying.
In the case of a client misbehaving, the domain will likely to be
running, so no action will be performed.

When the domain is effectively destroyed, XenStored will not be aware of
the domain anymore. So the watch event is not going to be sent.
By consequence, the watchers of the event will not release mappings
they may have on the domain. This will result in a zombie domain.

In order to send @releaseDomain event at the correct time, we want
to keep the domain structure until the domain is effectively
shutting-down/dying.

We also want to keep the connection around so we could possibly revive
the connection in the future.

A new flag 'is_ignored' is added to mark whether a connection should be
ignored when checking if there are work to do. Additionally any
transactions, watches, buffers associated to the connection will be
freed as you can't do much with them (restarting the connection will
likely need a reset).

As a side note, when the device model were running in a stubdomain, a
guest would have been able to introduce a use-after-free because there
is two parents for a guest connection.

This is XSA-325.

Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Signed-off-by: Harsha Shamsundara Havanur <havanur@amazon.com>
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Paul Durrant <paul@xen.org>
tools/xenstore/xenstored_core.c diff | blob | history
tools/xenstore/xenstored_core.h diff | blob | history
tools/xenstore/xenstored_domain.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.