qubes-linux-kernel/0010-xen-netfront-do-not-use-data-already-exposed-to-back.patch

From 8ea03fbc0533da4a06b5b13a2ebff11c5e7e5db6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Wed, 16 Dec 2015 05:19:37 +0100
Subject: [PATCH] xen-netfront: do not use data already exposed to backend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backend may freely modify anything on shared page, so use data which was
supposed to be written there, instead of reading it back from the shared
page.

This is part of XSA155.

CC: stable@vger.kernel.org
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
 drivers/net/xen-netfront.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 4d8d53862d1b..834a7950bea1 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -456,7 +456,7 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset,
 	tx->flags = 0;
 
 	info->tx = tx;
-	info->size += tx->size;
+	info->size += len;
 }
 
 static struct xen_netif_tx_request *xennet_make_first_txreq(
@@ -573,7 +573,7 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
 	int slots;
 	struct page *page;
 	unsigned int offset;
-	unsigned int len;
+	unsigned int len, this_len;
 	unsigned long flags;
 	struct netfront_queue *queue = NULL;
 	unsigned int num_queues = dev->real_num_tx_queues;
@@ -633,14 +633,15 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
 	}
 
 	/* First request for the linear area. */
+	this_len = min_t(unsigned int, XEN_PAGE_SIZE - offset, len);
 	first_tx = tx = xennet_make_first_txreq(queue, skb,
 						page, offset, len);
-	offset += tx->size;
+	offset += this_len;
 	if (offset == PAGE_SIZE) {
 		page++;
 		offset = 0;
 	}
-	len -= tx->size;
+	len -= this_len;
 
 	if (skb->ip_summed == CHECKSUM_PARTIAL)
 		/* local packet? */
-- 
2.20.1
Update patches 2019-03-15 21:28:57 +00:00			`From 8ea03fbc0533da4a06b5b13a2ebff11c5e7e5db6 Mon Sep 17 00:00:00 2001`
Apply XSA-155 patches (frontends part) 2015-12-17 08:24:01 +00:00			`From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=`
			`<marmarek@invisiblethingslab.com>`
			`Date: Wed, 16 Dec 2015 05:19:37 +0100`
Update XSA155 patches 2018-08-15 12:57:19 +00:00			`Subject: [PATCH] xen-netfront: do not use data already exposed to backend`
Apply XSA-155 patches (frontends part) 2015-12-17 08:24:01 +00:00			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Backend may freely modify anything on shared page, so use data which was`
			`supposed to be written there, instead of reading it back from the shared`
			`page.`

			`This is part of XSA155.`

			`CC: stable@vger.kernel.org`
			`Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>`
			`---`
Update XSA155 patches 2018-08-15 12:57:19 +00:00			`drivers/net/xen-netfront.c \| 9 +++++----`
			`1 file changed, 5 insertions(+), 4 deletions(-)`
Apply XSA-155 patches (frontends part) 2015-12-17 08:24:01 +00:00
			`diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c`
Update patches 2019-03-15 21:28:57 +00:00			`index 4d8d53862d1b..834a7950bea1 100644`
Apply XSA-155 patches (frontends part) 2015-12-17 08:24:01 +00:00			`--- a/drivers/net/xen-netfront.c`
			`+++ b/drivers/net/xen-netfront.c`
Update patches 2019-03-15 21:28:57 +00:00			`@@ -456,7 +456,7 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset,`
version 4.4.8-9 As usual - dropped patched already applied there, other updated. 2016-05-08 18:45:02 +00:00			`tx->flags = 0;`
Apply XSA-155 patches (frontends part) 2015-12-17 08:24:01 +00:00
version 4.4.8-9 As usual - dropped patched already applied there, other updated. 2016-05-08 18:45:02 +00:00			`info->tx = tx;`
			`- info->size += tx->size;`
			`+ info->size += len;`
			`}`
Apply XSA-155 patches (frontends part) 2015-12-17 08:24:01 +00:00
version 4.4.8-9 As usual - dropped patched already applied there, other updated. 2016-05-08 18:45:02 +00:00			`static struct xen_netif_tx_request *xennet_make_first_txreq(`
Update patches 2019-03-15 21:28:57 +00:00			`@@ -573,7 +573,7 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff skb, struct net_device dev`
Apply XSA-155 patches (frontends part) 2015-12-17 08:24:01 +00:00			`int slots;`
			`struct page *page;`
			`unsigned int offset;`
			`- unsigned int len;`
			`+ unsigned int len, this_len;`
			`unsigned long flags;`
			`struct netfront_queue *queue = NULL;`
			`unsigned int num_queues = dev->real_num_tx_queues;`
Update patches 2019-03-15 21:28:57 +00:00			`@@ -633,14 +633,15 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff skb, struct net_device dev`
Apply XSA-155 patches (frontends part) 2015-12-17 08:24:01 +00:00			`}`

			`/* First request for the linear area. */`
version 4.4.8-9 As usual - dropped patched already applied there, other updated. 2016-05-08 18:45:02 +00:00			`+ this_len = min_t(unsigned int, XEN_PAGE_SIZE - offset, len);`
			`first_tx = tx = xennet_make_first_txreq(queue, skb,`
			`page, offset, len);`
			`- offset += tx->size;`
			`+ offset += this_len;`
			`if (offset == PAGE_SIZE) {`
			`page++;`
			`offset = 0;`
			`}`
Apply XSA-155 patches (frontends part) 2015-12-17 08:24:01 +00:00			`- len -= tx->size;`
			`+ len -= this_len;`

			`if (skb->ip_summed == CHECKSUM_PARTIAL)`
			`/* local packet? */`
Update XSA155 patches 2018-08-15 12:57:19 +00:00			`--`
Update patches 2019-03-15 21:28:57 +00:00			`2.20.1`
Update XSA155 patches 2018-08-15 12:57:19 +00:00