From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jan Beulich <jbeulich@suse.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.4 06/59] xen-blkback: dont leak stack data via response ring
Date: Sun, 19 Nov 2017 15:32:14 +0100 [thread overview]
Message-ID: <20171119143151.317357655@linuxfoundation.org> (raw)
In-Reply-To: <20171119143150.964013720@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <jbeulich@suse.com>
commit 089bc0143f489bd3a4578bdff5f4ca68fb26f341 upstream.
Rather than constructing a local structure instance on the stack, fill
the fields directly on the shared ring, just like other backends do.
Build on the fact that all response structure flavors are actually
identical (the old code did make this assumption too).
This is XSA-216.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
[bwh: Backported to 4.4: adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/xen-blkback/blkback.c | 23 ++++++++++++-----------
drivers/block/xen-blkback/common.h | 25 +++++--------------------
2 files changed, 17 insertions(+), 31 deletions(-)
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -1407,33 +1407,34 @@ static int dispatch_rw_block_io(struct x
static void make_response(struct xen_blkif *blkif, u64 id,
unsigned short op, int st)
{
- struct blkif_response resp;
+ struct blkif_response *resp;
unsigned long flags;
union blkif_back_rings *blk_rings = &blkif->blk_rings;
int notify;
- resp.id = id;
- resp.operation = op;
- resp.status = st;
-
spin_lock_irqsave(&blkif->blk_ring_lock, flags);
/* Place on the response ring for the relevant domain. */
switch (blkif->blk_protocol) {
case BLKIF_PROTOCOL_NATIVE:
- memcpy(RING_GET_RESPONSE(&blk_rings->native, blk_rings->native.rsp_prod_pvt),
- &resp, sizeof(resp));
+ resp = RING_GET_RESPONSE(&blk_rings->native,
+ blk_rings->native.rsp_prod_pvt);
break;
case BLKIF_PROTOCOL_X86_32:
- memcpy(RING_GET_RESPONSE(&blk_rings->x86_32, blk_rings->x86_32.rsp_prod_pvt),
- &resp, sizeof(resp));
+ resp = RING_GET_RESPONSE(&blk_rings->x86_32,
+ blk_rings->x86_32.rsp_prod_pvt);
break;
case BLKIF_PROTOCOL_X86_64:
- memcpy(RING_GET_RESPONSE(&blk_rings->x86_64, blk_rings->x86_64.rsp_prod_pvt),
- &resp, sizeof(resp));
+ resp = RING_GET_RESPONSE(&blk_rings->x86_64,
+ blk_rings->x86_64.rsp_prod_pvt);
break;
default:
BUG();
}
+
+ resp->id = id;
+ resp->operation = op;
+ resp->status = st;
+
blk_rings->common.rsp_prod_pvt++;
RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blk_rings->common, notify);
spin_unlock_irqrestore(&blkif->blk_ring_lock, flags);
--- a/drivers/block/xen-blkback/common.h
+++ b/drivers/block/xen-blkback/common.h
@@ -74,9 +74,8 @@ extern unsigned int xen_blkif_max_ring_o
struct blkif_common_request {
char dummy;
};
-struct blkif_common_response {
- char dummy;
-};
+
+/* i386 protocol version */
struct blkif_x86_32_request_rw {
uint8_t nr_segments; /* number of segments */
@@ -128,14 +127,6 @@ struct blkif_x86_32_request {
} u;
} __attribute__((__packed__));
-/* i386 protocol version */
-#pragma pack(push, 4)
-struct blkif_x86_32_response {
- uint64_t id; /* copied from request */
- uint8_t operation; /* copied from request */
- int16_t status; /* BLKIF_RSP_??? */
-};
-#pragma pack(pop)
/* x86_64 protocol version */
struct blkif_x86_64_request_rw {
@@ -192,18 +183,12 @@ struct blkif_x86_64_request {
} u;
} __attribute__((__packed__));
-struct blkif_x86_64_response {
- uint64_t __attribute__((__aligned__(8))) id;
- uint8_t operation; /* copied from request */
- int16_t status; /* BLKIF_RSP_??? */
-};
-
DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
- struct blkif_common_response);
+ struct blkif_response);
DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
- struct blkif_x86_32_response);
+ struct blkif_response __packed);
DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
- struct blkif_x86_64_response);
+ struct blkif_response);
union blkif_back_rings {
struct blkif_back_ring native;
next prev parent reply other threads:[~2017-11-19 14:32 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-19 14:32 [PATCH 4.4 00/59] 4.4.100-stable review Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 01/59] media: imon: Fix null-ptr-deref in imon_probe Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 02/59] media: dib0700: fix invalid dvb_detach argument Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 03/59] ext4: fix data exposure after a crash Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 05/59] bpf: dont let ldimm64 leak map addresses on unprivileged Greg Kroah-Hartman
2017-11-19 14:32 ` Greg Kroah-Hartman [this message]
2017-11-19 14:32 ` [PATCH 4.4 07/59] sctp: do not peel off an assoc from one netns to another one Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 10/59] [PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 11/59] Bluetooth: btusb: fix QCA Rome suspend/resume Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 12/59] dmaengine: dmatest: warn user when dma test times out Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 13/59] extcon: palmas: Check the parent instance to prevent the NULL Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 14/59] fm10k: request reset when mbx->state changes Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 15/59] ARM: dts: Fix compatible for ti81xx uarts for 8250 Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 16/59] ARM: dts: Fix am335x and dm814x scm syscon to probe children Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 17/59] ARM: OMAP2+: Fix init for multiple quirks for the same SoC Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 18/59] ARM: dts: Fix omap3 off mode pull defines Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 19/59] ata: ATA_BMDMA should depend on HAS_DMA Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 20/59] ata: SATA_HIGHBANK " Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 21/59] ata: SATA_MV " Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 22/59] drm/sti: sti_vtg: Handle return NULL error from devm_ioremap_nocache Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 23/59] igb: reset the PHY before reading the PHY ID Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 24/59] igb: close/suspend race in netif_device_detach Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 25/59] igb: Fix hw_dbg logging in igb_update_flash_i210 Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 26/59] scsi: ufs-qcom: Fix module autoload Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 27/59] scsi: ufs: add capability to keep auto bkops always enabled Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 28/59] staging: rtl8188eu: fix incorrect ERROR tags from logs Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 29/59] scsi: lpfc: Add missing memory barrier Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 30/59] scsi: lpfc: FCoE VPort enable-disable does not bring up the VPort Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 31/59] scsi: lpfc: Correct host name in symbolic_name field Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 32/59] scsi: lpfc: Correct issue leading to oops during link reset Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 33/59] scsi: lpfc: Clear the VendorVersion in the PLOGI/PLOGI ACC payload Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 34/59] ALSA: vx: Dont try to update capture stream before running Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 35/59] ALSA: vx: Fix possible transfer overflow Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 37/59] backlight: adp5520: Fix error handling in adp5520_bl_probe() Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 38/59] gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 39/59] ALSA: hda/realtek - Add new codec ID ALC299 Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 40/59] arm64: dts: NS2: reserve memory for Nitro firmware Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 41/59] ixgbe: fix AER error handling Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 42/59] ixgbe: handle close/suspend race with netif_device_detach/present Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 43/59] ixgbe: Reduce I2C retry count on X550 devices Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 44/59] ixgbe: add mask for 64 RSS queues Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 45/59] ixgbe: do not disable FEC from the driver Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 46/59] staging: rtl8712: fixed little endian problem Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 47/59] MIPS: End asm function prologue macros with .insn Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 48/59] MIPS: init: Ensure bootmem does not corrupt reserved memory Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 49/59] MIPS: init: Ensure reserved memory regions are not added to bootmem Greg Kroah-Hartman
2017-11-19 14:32 ` [PATCH 4.4 51/59] Revert "crypto: xts - Add ECB dependency" Greg Kroah-Hartman
2017-11-19 14:33 ` [PATCH 4.4 52/59] Revert "uapi: fix linux/rds.h userspace compilation errors" Greg Kroah-Hartman
2017-11-19 14:33 ` [PATCH 4.4 53/59] uapi: fix linux/rds.h userspace compilation error Greg Kroah-Hartman
2017-11-19 14:33 ` [PATCH 4.4 54/59] uapi: fix linux/rds.h userspace compilation errors Greg Kroah-Hartman
2017-11-19 14:33 ` [PATCH 4.4 55/59] USB: usbfs: compute urb->actual_length for isochronous Greg Kroah-Hartman
2017-11-19 14:33 ` [PATCH 4.4 56/59] USB: Add delay-init quirk for Corsair K70 LUX keyboards Greg Kroah-Hartman
2017-11-19 14:33 ` [PATCH 4.4 57/59] USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update Greg Kroah-Hartman
2017-11-19 14:33 ` [PATCH 4.4 58/59] USB: serial: garmin_gps: fix I/O after failed probe and remove Greg Kroah-Hartman
2017-11-19 14:33 ` [PATCH 4.4 59/59] USB: serial: garmin_gps: fix memory leak on probe errors Greg Kroah-Hartman
2017-11-19 19:48 ` [PATCH 4.4 00/59] 4.4.100-stable review Nathan Chancellor
2017-11-20 19:27 ` Greg Kroah-Hartman
2017-11-20 19:43 ` Nathan Chancellor
2017-11-22 17:03 ` Greg Kroah-Hartman
2017-11-22 17:45 ` Nathan Chancellor
2017-11-19 20:09 ` Guenter Roeck
2017-11-20 6:35 ` Naresh Kamboju
2017-11-20 14:09 ` Guenter Roeck
2017-11-20 14:15 ` Greg Kroah-Hartman
2017-11-20 16:31 ` Guenter Roeck
2017-11-20 19:23 ` Greg Kroah-Hartman
2017-11-20 21:16 ` Shuah Khan
2017-11-21 10:56 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171119143151.317357655@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=jbeulich@suse.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).