| Message ID | 20210402140353.31150-2-tim.gardner@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | xen-blkback: don't leak persistent grants from xen_blkbk_map() | expand |
On 02.04.21 16:03, Tim Gardner wrote: > From: Jan Beulich <jbeulich@suse.com> > > CVE-2021-28688 > > BugLink: https://bugs.launchpad.net/bugs/1921902 > > The fix for XSA-365 zapped too many of the ->persistent_gnt[] entries. > Ones successfully obtained should not be overwritten, but instead left > for xen_blkbk_unmap_prepare() to pick up and put. > > This is XSA-371. > > Signed-off-by: Jan Beulich <jbeulich@suse.com> > Cc: stable@vger.kernel.org > Reviewed-by: Juergen Gross <jgross@suse.com> > Reviewed-by: Wei Liu <wl@xen.org> > Signed-off-by: Juergen Gross <jgross@suse.com> > (cherry picked from commit a846738f8c3788d846ed1f587270d2f2e3d32432) > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/block/xen-blkback/blkback.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c > index a703f365b5b19..ec292aa62046a 100644 > --- a/drivers/block/xen-blkback/blkback.c > +++ b/drivers/block/xen-blkback/blkback.c > @@ -937,7 +937,7 @@ static int xen_blkbk_map(struct xen_blkif_ring *ring, > out: > for (i = last_map; i < num; i++) { > /* Don't zap current batch's valid persistent grants. */ > - if(i >= last_map + segs_to_map) > + if(i >= map_until) > pages[i]->persistent_gnt = NULL; > pages[i]->handle = BLKBACK_INVALID_HANDLE; > } >
On 02.04.21 16:03, Tim Gardner wrote: > From: Jan Beulich <jbeulich@suse.com> > > CVE-2021-28688 > > BugLink: https://bugs.launchpad.net/bugs/1921902 > > The fix for XSA-365 zapped too many of the ->persistent_gnt[] entries. > Ones successfully obtained should not be overwritten, but instead left > for xen_blkbk_unmap_prepare() to pick up and put. > > This is XSA-371. > > Signed-off-by: Jan Beulich <jbeulich@suse.com> > Cc: stable@vger.kernel.org > Reviewed-by: Juergen Gross <jgross@suse.com> > Reviewed-by: Wei Liu <wl@xen.org> > Signed-off-by: Juergen Gross <jgross@suse.com> > (cherry picked from commit a846738f8c3788d846ed1f587270d2f2e3d32432) > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks > --- > drivers/block/xen-blkback/blkback.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c > index a703f365b5b19..ec292aa62046a 100644 > --- a/drivers/block/xen-blkback/blkback.c > +++ b/drivers/block/xen-blkback/blkback.c > @@ -937,7 +937,7 @@ static int xen_blkbk_map(struct xen_blkif_ring *ring, > out: > for (i = last_map; i < num; i++) { > /* Don't zap current batch's valid persistent grants. */ > - if(i >= last_map + segs_to_map) > + if(i >= map_until) > pages[i]->persistent_gnt = NULL; > pages[i]->handle = BLKBACK_INVALID_HANDLE; > } >
diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c index a703f365b5b19..ec292aa62046a 100644 --- a/drivers/block/xen-blkback/blkback.c +++ b/drivers/block/xen-blkback/blkback.c @@ -937,7 +937,7 @@ static int xen_blkbk_map(struct xen_blkif_ring *ring, out: for (i = last_map; i < num; i++) { /* Don't zap current batch's valid persistent grants. */ - if(i >= last_map + segs_to_map) + if(i >= map_until) pages[i]->persistent_gnt = NULL; pages[i]->handle = BLKBACK_INVALID_HANDLE; }