review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Juergen Gross <jgross@suse.com>
	Fri, 25 Feb 2022 15:05:43 +0000 (16:05 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 11 Mar 2022 11:22:37 +0000 (12:22 +0100)
commit	27dc69aa55687ea288d0be6ce8f036330d1dddb5
tree	7ec2462bf636cb3635f1244ea977128da945ebb5	tree \| snapshot
parent	5bff1721c8f9e7c167da2127e191396011032483	commit \| diff

xen/gnttab: fix gnttab_end_foreign_access() without page specified

Commit 42baefac638f06314298087394b982ead9ec444b upstream.

gnttab_end_foreign_access() is used to free a grant reference and
optionally to free the associated page. In case the grant is still in
use by the other side processing is being deferred. This leads to a
problem in case no page to be freed is specified by the caller: the
caller doesn't know that the page is still mapped by the other side
and thus should not be used for other purposes.

The correct way to handle this situation is to take an additional
reference to the granted page in case handling is being deferred and
to drop that reference when the grant reference could be freed
finally.

This requires that there are no users of gnttab_end_foreign_access()
left directly repurposing the granted page after the call, as this
might result in clobbered data or information leaks via the not yet
freed grant reference.

This is part of CVE-2022-23041 / XSA-396.

Reported-by: Simon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/xen/grant-table.c		diff \| blob \| history
include/xen/grant_table.h		diff \| blob \| history