From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Roger Pau Monné" <roger.pau@citrix.com>,
"Jan Beulich" <jbeulich@suse.com>,
"Juergen Gross" <jgross@suse.com>
Subject: [PATCH 5.4 51/58] xen/blkfront: fix leaking data in shared pages
Date: Tue, 5 Jul 2022 13:58:27 +0200 [thread overview]
Message-ID: <20220705115611.751901630@linuxfoundation.org> (raw)
In-Reply-To: <20220705115610.236040773@linuxfoundation.org>
From: Roger Pau Monne <roger.pau@citrix.com>
commit 2f446ffe9d737e9a844b97887919c4fda18246e7 upstream.
When allocating pages to be used for shared communication with the
backend always zero them, this avoids leaking unintended data present
on the pages.
This is CVE-2022-26365, part of XSA-403.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/xen-blkfront.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -301,7 +301,7 @@ static int fill_grant_buffer(struct blkf
goto out_of_memory;
if (info->feature_persistent) {
- granted_page = alloc_page(GFP_NOIO);
+ granted_page = alloc_page(GFP_NOIO | __GFP_ZERO);
if (!granted_page) {
kfree(gnt_list_entry);
goto out_of_memory;
@@ -1744,7 +1744,7 @@ static int setup_blkring(struct xenbus_d
for (i = 0; i < info->nr_ring_pages; i++)
rinfo->ring_ref[i] = GRANT_INVALID_REF;
- sring = alloc_pages_exact(ring_size, GFP_NOIO);
+ sring = alloc_pages_exact(ring_size, GFP_NOIO | __GFP_ZERO);
if (!sring) {
xenbus_dev_fatal(dev, -ENOMEM, "allocating shared ring");
return -ENOMEM;
@@ -2283,7 +2283,8 @@ static int blkfront_setup_indirect(struc
BUG_ON(!list_empty(&rinfo->indirect_pages));
for (i = 0; i < num; i++) {
- struct page *indirect_page = alloc_page(GFP_KERNEL);
+ struct page *indirect_page = alloc_page(GFP_KERNEL |
+ __GFP_ZERO);
if (!indirect_page)
goto out_of_memory;
list_add(&indirect_page->lru, &rinfo->indirect_pages);
next prev parent reply other threads:[~2022-07-05 12:11 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-05 11:57 [PATCH 5.4 00/58] 5.4.204-rc1 review Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 01/58] ipv6: take care of disable_policy when restoring routes Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 02/58] nvdimm: Fix badblocks clear off-by-one error Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 03/58] powerpc/prom_init: Fix kernel config grep Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 04/58] powerpc/bpf: Fix use of user_pt_regs in uapi Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 05/58] dm raid: fix accesses beyond end of raid member array Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 06/58] dm raid: fix KASAN warning in raid5_add_disks Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 07/58] s390/archrandom: simplify back to earlier design and initialize earlier Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 08/58] SUNRPC: Fix READ_PLUS crasher Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 09/58] net: rose: fix UAF bugs caused by timer handler Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 10/58] net: usb: ax88179_178a: Fix packet receiving Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 11/58] virtio-net: fix race between ndo_open() and virtio_device_ready() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 12/58] selftests/net: pass ipv6_args to udpgso_benchs IPv6 TCP test Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 13/58] net: tun: unlink NAPI from device on destruction Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 14/58] net: tun: stop NAPI when detaching queues Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 15/58] RDMA/qedr: Fix reporting QP timeout attribute Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 16/58] linux/dim: Fix divide by 0 in RDMA DIM Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 17/58] usbnet: fix memory allocation in helpers Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 18/58] net: ipv6: unexport __init-annotated seg6_hmac_net_init() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 19/58] caif_virtio: fix race between virtio_device_ready() and ndo_open() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 20/58] PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 21/58] s390: remove unneeded select BUILD_BIN2C Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 22/58] netfilter: nft_dynset: restore set element counter when failing to update Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.4 23/58] net/sched: act_api: Notify user space if any actions were flushed before error Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 24/58] net: bonding: fix possible NULL deref in rlb code Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 25/58] net: bonding: fix use-after-free after 802.3ad slave unbind Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 26/58] nfc: nfcmrvl: Fix irq_of_parse_and_map() return value Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 27/58] NFC: nxp-nci: Dont issue a zero length i2c_master_read() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 28/58] net: tun: avoid disabling NAPI twice Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 29/58] xen/gntdev: Avoid blocking in unmap_grant_pages() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 30/58] hwmon: (ibmaem) dont call platform_device_del() if platform_device_add() fails Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 31/58] net: dsa: bcm_sf2: force pause link settings Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 32/58] sit: use min Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 33/58] ipv6/sit: fix ipip6_tunnel_get_prl return value Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 34/58] rseq/selftests,x86_64: Add rseq_offset_deref_addv() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 35/58] selftests/rseq: remove ARRAY_SIZE define from individual tests Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 36/58] selftests/rseq: introduce own copy of rseq uapi header Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 37/58] selftests/rseq: Remove useless assignment to cpu variable Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 38/58] selftests/rseq: Remove volatile from __rseq_abi Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 39/58] selftests/rseq: Introduce rseq_get_abi() helper Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 40/58] selftests/rseq: Introduce thread pointer getters Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 41/58] selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35 Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 42/58] selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 43/58] selftests/rseq: Fix ppc32 missing instruction selection "u" and "x" for load/store Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 44/58] selftests/rseq: Fix ppc32 offsets by using long rather than off_t Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 45/58] selftests/rseq: Fix warnings about #if checks of undefined tokens Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 46/58] selftests/rseq: Remove arm/mips asm goto compiler work-around Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 47/58] selftests/rseq: Fix: work-around asm goto compiler bugs Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 48/58] selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread area Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 49/58] selftests/rseq: x86-32: use %gs " Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 50/58] selftests/rseq: Change type of rseq_offset to ptrdiff_t Greg Kroah-Hartman
2022-07-05 11:58 ` Greg Kroah-Hartman [this message]
2022-07-05 11:58 ` [PATCH 5.4 52/58] xen/netfront: fix leaking data in shared pages Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 53/58] xen/netfront: force data bouncing when backend is untrusted Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 54/58] xen/blkfront: " Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 55/58] xen/arm: Fix race in RB-tree based P2M accounting Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 56/58] net: usb: qmi_wwan: add Telit 0x1060 composition Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 57/58] net: usb: qmi_wwan: add Telit 0x1070 composition Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.4 58/58] clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() Greg Kroah-Hartman
2022-07-05 16:53 ` [PATCH 5.4 00/58] 5.4.204-rc1 review Florian Fainelli
2022-07-06 5:51 ` Samuel Zou
2022-07-06 6:55 ` Naresh Kamboju
2022-07-06 10:19 ` Sudip Mukherjee (Codethink)
2022-07-06 13:43 ` Guenter Roeck
2022-07-07 0:00 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220705115611.751901630@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jbeulich@suse.com \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=roger.pau@citrix.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).