| From foo@baz Thu Mar 10 02:41:19 PM CET 2022 |
| From: Juergen Gross <jgross@suse.com> |
| Date: Fri, 25 Feb 2022 16:05:41 +0100 |
| Subject: xen/netfront: don't use gnttab_query_foreign_access() for mapped status |
| |
| From: Juergen Gross <jgross@suse.com> |
| |
| Commit 31185df7e2b1d2fa1de4900247a12d7b9c7087eb upstream. |
| |
| It isn't enough to check whether a grant is still being in use by |
| calling gnttab_query_foreign_access(), as a mapping could be realized |
| by the other side just after having called that function. |
| |
| In case the call was done in preparation of revoking a grant it is |
| better to do so via gnttab_end_foreign_access_ref() and check the |
| success of that operation instead. |
| |
| This is CVE-2022-23037 / part of XSA-396. |
| |
| Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com> |
| Signed-off-by: Juergen Gross <jgross@suse.com> |
| Reviewed-by: Jan Beulich <jbeulich@suse.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/xen-netfront.c | 6 ++---- |
| 1 file changed, 2 insertions(+), 4 deletions(-) |
| |
| --- a/drivers/net/xen-netfront.c |
| +++ b/drivers/net/xen-netfront.c |
| @@ -413,14 +413,12 @@ static bool xennet_tx_buf_gc(struct netf |
| queue->tx_link[id] = TX_LINK_NONE; |
| skb = queue->tx_skbs[id]; |
| queue->tx_skbs[id] = NULL; |
| - if (unlikely(gnttab_query_foreign_access( |
| - queue->grant_tx_ref[id]) != 0)) { |
| + if (unlikely(!gnttab_end_foreign_access_ref( |
| + queue->grant_tx_ref[id], GNTMAP_readonly))) { |
| dev_alert(dev, |
| "Grant still in use by backend domain\n"); |
| goto err; |
| } |
| - gnttab_end_foreign_access_ref( |
| - queue->grant_tx_ref[id], GNTMAP_readonly); |
| gnttab_release_grant_reference( |
| &queue->gref_tx_head, queue->grant_tx_ref[id]); |
| queue->grant_tx_ref[id] = GRANT_INVALID_REF; |