mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-30 14:19:16 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/xen
History
Juergen Gross 42baefac63 xen/gnttab: fix gnttab_end_foreign_access() without page specified 
gnttab_end_foreign_access() is used to free a grant reference and
optionally to free the associated page. In case the grant is still in
use by the other side processing is being deferred. This leads to a
problem in case no page to be freed is specified by the caller: the
caller doesn't know that the page is still mapped by the other side
and thus should not be used for other purposes.

The correct way to handle this situation is to take an additional
reference to the granted page in case handling is being deferred and
to drop that reference when the grant reference could be freed
finally.

This requires that there are no users of gnttab_end_foreign_access()
left directly repurposing the granted page after the call, as this
might result in clobbered data or information leaks via the not yet
freed grant reference.

This is part of CVE-2022-23041 / XSA-396.

Reported-by: Simon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
V4:
- expand comment in header
V5:
- get page ref in case of kmalloc() failure, too
2022-03-07 09:48:55 +01:00
..
events xen/console: harden hvc_xen against event channel storms 2021-12-16 08:24:08 +01:00
xen-pciback xen-pciback: allow compiling on other archs than x86 2021-11-02 08:03:43 -05:00
xenbus xen/xenbus: don't let xenbus_grant_ring() remove grants in error case 2022-03-07 09:48:54 +01:00
xenfs
acpi.c
arm-device.c
balloon.c xen/balloon: Bring alloc(free)_xenballooned_pages helpers back 2022-01-06 09:53:35 +01:00
biomerge.c
cpu_hotplug.c
dbgp.c
efi.c
evtchn.c xen/evtchn: use READ/WRITE_ONCE() for accessing ring indices 2021-02-23 10:07:52 -06:00
features.c xen: check required Xen features 2021-08-30 11:57:45 +02:00
gntalloc.c xen/gntalloc: don't use gnttab_query_foreign_access() 2022-03-07 09:48:54 +01:00
gntdev-common.h
gntdev-dmabuf.c dma-buf: move dma-buf symbols into the DMA_BUF module namespace 2021-10-25 14:53:08 +02:00
gntdev-dmabuf.h
gntdev.c xen/gntdev: fix unmap notification order 2022-01-06 08:52:22 +01:00
grant-table.c xen/gnttab: fix gnttab_end_foreign_access() without page specified 2022-03-07 09:48:55 +01:00
Kconfig arm/xen: Read extended regions from DT and init Xen resource 2022-01-06 09:53:41 +01:00
Makefile xen-pciback: allow compiling on other archs than x86 2021-11-02 08:03:43 -05:00
manage.c
mcelog.c
mem-reservation.c x86/xen: remove 32-bit pv leftovers 2021-11-02 08:03:43 -05:00
pci.c xen/pci: Make use of the helper macro LIST_HEAD() 2022-02-10 11:10:23 +01:00
pcpu.c xen: Use DEVICE_ATTR_*() macro 2021-07-05 09:23:31 +02:00
platform-pci.c
privcmd-buf.c
privcmd.c xen/privcmd: drop "pages" parameter from xen_remap_pfn() 2021-10-05 08:20:27 +02:00
privcmd.h
pvcalls-back.c xen/pvcalls-back: Remove redundant 'flush_workqueue()' calls 2021-11-02 07:45:44 -05:00
pvcalls-front.c xen/pvcalls: use alloc/free_pages_exact() 2022-03-07 09:48:55 +01:00
pvcalls-front.h
swiotlb-xen.c Merge branch 'akpm' (patches from Andrew) 2021-11-06 14:08:17 -07:00
sys-hypervisor.c
time.c x86/paravirt: Switch time pvops functions to use static_call() 2021-03-11 16:17:52 +01:00
unpopulated-alloc.c xen/unpopulated-alloc: Add mechanism to use Xen resource 2022-01-06 09:53:38 +01:00
xen-acpi-pad.c
xen-acpi-processor.c xen: Fix implicit type conversion 2021-11-02 07:45:44 -05:00
xen-balloon.c xen: Use DEVICE_ATTR_*() macro 2021-07-05 09:23:31 +02:00
xen-front-pgdir-shbuf.c xen-front-pgdir-shbuf: don't record wrong grant handle upon error 2021-02-23 12:35:43 -06:00
xen-scsiback.c isystem: trim/fixup stdarg.h and other headers 2021-08-19 09:02:55 +09:00
xlate_mmu.c