oxenstored: Protect oxenstored from malicious domains.

add check logic when read from IO ring, and if error happens,
then mark the reading connection as "bad", Unless vm reboot,
oxenstored will not handle message from this connection any more.

xs_ring_stubs.c: add a more strict check on ring reading
connection.ml, domain.ml: add getter and setter for bad flag
process.ml: if exception raised when reading from domain's ring,
            mark this domain as "bad"
xenstored.ml: if a domain is marked as "bad", do not handle it.

Signed-off-by: John Liu <john.liuqiming@huawei.com>
Acked-by: David Scott <dave.scott@eu.citrix.com>
(cherry picked from commit 704302ce9404c73cfb687d31adcf67094ab5bb53)
(cherry picked from commit a978634bee4db6c5e0ceeb66adcc5114f3f9bc48)

Conflicts:
	tools/ocaml/xenstored/domain.ml

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
(cherry picked from commit 9f93027afd796a98d7b92898f4ccc772796a4874)

1 files changed, 6 insertions, 1 deletions

diff --git a/tools/ocaml/xenstored/domain.ml b/tools/ocaml/xenstored/domain.ml
index 258d172a5f..b41b00c658 100644
--- a/tools/ocaml/xenstored/domain.ml
+++ b/tools/ocaml/xenstored/domain.ml
@@ -26,6 +26,7 @@ type t =
 	interface: Mmap.mmap_interface;
 	eventchn: Event.t;
 	mutable port: int;
+	mutable bad_client: bool;
 }
 
 let get_path dom = "/local/domain/" ^ (sprintf "%u" dom.id)
@@ -34,6 +35,9 @@ let get_interface d = d.interface
 let get_mfn d = d.mfn
 let get_remote_port d = d.remote_port
 
+let is_bad_domain domain = domain.bad_client
+let mark_as_bad domain = domain.bad_client <- true
+
 let dump d chan =
 	fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.port
 
@@ -56,7 +60,8 @@ let make id mfn remote_port interface eventchn = {
 	remote_port = remote_port;
 	interface = interface;
 	eventchn = eventchn;
-	port = -1
+	port = -1;
+	bad_client = false
 }
 
 let is_dom0 d = d.id = 0