diff options
| author | Paul Durrant <paul.durrant@citrix.com> | 2013-04-18 17:38:17 +0200 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2013-04-18 17:38:17 +0200 |
| commit | a12ed396652c22988e0e7a3f5bd57c882872da8e (patch) | |
| tree | 10ec0be1a50b4693e315cbb1cb68342557c73368 /tools/libxl/libxl.c | |
| parent | d3d1288618ec903ad6a0e994ddfe0975cbac1584 (diff) | |
| download | xen-a12ed396652c22988e0e7a3f5bd57c882872da8e.tar.gz xen-a12ed396652c22988e0e7a3f5bd57c882872da8e.tar.bz2 xen-a12ed396652c22988e0e7a3f5bd57c882872da8e.zip | |
Fix rcu domain locking for transitive grants
When acquiring a transitive grant for copy then the owning domain
needs to be locked down as well as the granting domain. This was being
done, but the unlocking was not. The acquire code now stores the
struct domain * of the owning domain (rather than the domid) in the
active entry in the granting domain. The release code then does the
unlock on the owning domain. Note that I believe I also fixed a bug
where, for non-transitive grants the active entry contained a
reference to the acquiring domain rather than the granting
domain. From my reading of the code this would stop the release code
for transitive grants from terminating its recursion correctly.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
master commit: f544bf377ee829e1342abd818ac30478c6f3a134
master date: 2011-03-08 16:30:30 +0000
Also, for non-transitive grants we now avoid incorrectly recursing
in __release_grant_for_copy.
This is CVE-2013-1964 / XSA-50.
Reported-by: Manuel Bouyer <bouyer@antioche.eu.org>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Manuel Bouyer <bouyer@antioche.eu.org>
Diffstat (limited to 'tools/libxl/libxl.c')
0 files changed, 0 insertions, 0 deletions