projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 472863c)
xen/blkfront: fix leaking data in shared pages
authorRoger Pau Monne <roger.pau@citrix.com>
Wed, 30 Mar 2022 07:03:48 +0000 (09:03 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 7 Jul 2022 15:53:31 +0000 (17:53 +0200)
commit 2f446ffe9d737e9a844b97887919c4fda18246e7 upstream.

When allocating pages to be used for shared communication with the
backend always zero them, this avoids leaking unintended data present
on the pages.

This is CVE-2022-26365, part of XSA-403.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/block/xen-blkfront.c patch | blob | history

diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
index d7a9bf4..317b0b0 100644 (file)
--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -312,7 +312,7 @@ static int fill_grant_buffer(struct blkfront_ring_info *rinfo, int num)
                        goto out_of_memory;
 
                if (info->feature_persistent) {
-                       granted_page = alloc_page(GFP_NOIO);
+                       granted_page = alloc_page(GFP_NOIO | __GFP_ZERO);
                        if (!granted_page) {
                                kfree(gnt_list_entry);
                                goto out_of_memory;
@@ -1692,7 +1692,7 @@ static int setup_blkring(struct xenbus_device *dev,
        for (i = 0; i < info->nr_ring_pages; i++)
                rinfo->ring_ref[i] = GRANT_INVALID_REF;
 
-       sring = alloc_pages_exact(ring_size, GFP_NOIO);
+       sring = alloc_pages_exact(ring_size, GFP_NOIO | __GFP_ZERO);
        if (!sring) {
                xenbus_dev_fatal(dev, -ENOMEM, "allocating shared ring");
                return -ENOMEM;
@@ -2209,7 +2209,8 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo)
 
                BUG_ON(!list_empty(&rinfo->indirect_pages));
                for (i = 0; i < num; i++) {
-                       struct page *indirect_page = alloc_page(GFP_KERNEL);
+                       struct page *indirect_page = alloc_page(GFP_KERNEL |
+                                                               __GFP_ZERO);
                        if (!indirect_page)
                                goto out_of_memory;
                        list_add(&indirect_page->lru, &rinfo->indirect_pages);
Domain: System / Kernel;