diff options
| author |   Florian Schmaus <flow@gentoo.org> | 2022-10-19 11:03:58 +0200 |
|---|---|---|
| committer | Florian Schmaus <flow@gentoo.org> | 2022-10-19 11:03:58 +0200 |
| commit | a0ef09913a37dcad16d28e9f5fa1e4f6a7cc5da7 (patch) | |
| tree | ee0832868e8dfaf144f16916f7b6dbec24839815 /0016-gnttab-correct-locking-on-transitive-grant-copy-erro.patch | |
| parent | Correctly obtain the array length (diff) | |
| download | xen-upstream-patches-a0ef09913a37dcad16d28e9f5fa1e4f6a7cc5da7.tar.gz xen-upstream-patches-a0ef09913a37dcad16d28e9f5fa1e4f6a7cc5da7.tar.bz2 xen-upstream-patches-a0ef09913a37dcad16d28e9f5fa1e4f6a7cc5da7.zip | |
Xen 4.16.3-pre-patchset-04.16.3-pre-patchset-0
Signed-off-by: Florian Schmaus <flow@gentoo.org>
Diffstat (limited to '0016-gnttab-correct-locking-on-transitive-grant-copy-erro.patch')
| -rw-r--r-- | 0016-gnttab-correct-locking-on-transitive-grant-copy-erro.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/0016-gnttab-correct-locking-on-transitive-grant-copy-erro.patch b/0016-gnttab-correct-locking-on-transitive-grant-copy-erro.patch new file mode 100644 index 0000000..6283d47 --- /dev/null +++ b/0016-gnttab-correct-locking-on-transitive-grant-copy-erro.patch @@ -0,0 +1,66 @@ +From 32cb81501c8b858fe9a451650804ec3024a8b364 Mon Sep 17 00:00:00 2001 +From: Jan Beulich <jbeulich@suse.com> +Date: Tue, 11 Oct 2022 14:56:29 +0200 +Subject: [PATCH 16/26] gnttab: correct locking on transitive grant copy error + path + +While the comment next to the lock dropping in preparation of +recursively calling acquire_grant_for_copy() mistakenly talks about the +rd == td case (excluded a few lines further up), the same concerns apply +to the calling of release_grant_for_copy() on a subsequent error path. + +This is CVE-2022-33748 / XSA-411. + +Fixes: ad48fb963dbf ("gnttab: fix transitive grant handling") +Signed-off-by: Jan Beulich <jbeulich@suse.com> +master commit: 6e3aab858eef614a21a782a3b73acc88e74690ea +master date: 2022-10-11 14:29:30 +0200 +--- + xen/common/grant_table.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c +index 4c742cd8fe81..d8ca645b96ff 100644 +--- a/xen/common/grant_table.c ++++ b/xen/common/grant_table.c +@@ -2613,9 +2613,8 @@ acquire_grant_for_copy( + trans_domid); + + /* +- * acquire_grant_for_copy() could take the lock on the +- * remote table (if rd == td), so we have to drop the lock +- * here and reacquire. ++ * acquire_grant_for_copy() will take the lock on the remote table, ++ * so we have to drop the lock here and reacquire. + */ + active_entry_release(act); + grant_read_unlock(rgt); +@@ -2652,11 +2651,25 @@ acquire_grant_for_copy( + act->trans_gref != trans_gref || + !act->is_sub_page)) ) + { ++ /* ++ * Like above for acquire_grant_for_copy() we need to drop and then ++ * re-acquire the locks here to prevent lock order inversion issues. ++ * Unlike for acquire_grant_for_copy() we don't need to re-check ++ * anything, as release_grant_for_copy() doesn't depend on the grant ++ * table entry: It only updates internal state and the status flags. ++ */ ++ active_entry_release(act); ++ grant_read_unlock(rgt); ++ + release_grant_for_copy(td, trans_gref, readonly); + rcu_unlock_domain(td); ++ ++ grant_read_lock(rgt); ++ act = active_entry_acquire(rgt, gref); + reduce_status_for_pin(rd, act, status, readonly); + active_entry_release(act); + grant_read_unlock(rgt); ++ + put_page(*page); + *page = NULL; + return ERESTART; +-- +2.37.3 + |