qubes-linux-kernel/0011-xen-netfront-add-range-check-for-Tx-response-id.patch

36 lines
1.1 KiB
Diff
Raw Normal View History

From 91bac2da855a018b8ffd1bed9694e9c962340f08 Mon Sep 17 00:00:00 2001
2015-12-17 08:24:01 +00:00
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Wed, 16 Dec 2015 05:22:24 +0100
2018-08-15 12:57:19 +00:00
Subject: [PATCH] xen-netfront: add range check for Tx response id
2015-12-17 08:24:01 +00:00
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Tx response ID is fetched from shared page, so make sure it is sane
before using it as an array index.
This is part of XSA155.
CC: stable@vger.kernel.org
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
drivers/net/xen-netfront.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 88578e5aeaaf..69e1c3aebe71 100644
2015-12-17 08:24:01 +00:00
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -394,6 +394,7 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
2015-12-17 08:24:01 +00:00
continue;
id = txrsp.id;
+ BUG_ON(id >= NET_TX_RING_SIZE);
skb = queue->tx_skbs[id].skb;
if (unlikely(gnttab_query_foreign_access(
queue->grant_tx_ref[id]) != 0)) {
--
2018-08-15 12:57:19 +00:00
2.17.1
2015-12-17 08:24:01 +00:00