qubes-linux-kernel/patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to-back.patch

65 lines
1.9 KiB
Diff
Raw Normal View History

2015-12-17 08:24:01 +00:00
From 2adc557330dde5b474d885518d2663180d3c8f45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Wed, 16 Dec 2015 05:19:37 +0100
Subject: [PATCH 10/13] xen-netfront: do not use data already exposed to
backend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Backend may freely modify anything on shared page, so use data which was
supposed to be written there, instead of reading it back from the shared
page.
This is part of XSA155.
CC: stable@vger.kernel.org
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
drivers/net/xen-netfront.c | 32 +++++++++++---------------------
1 file changed, 11 insertions(+), 21 deletions(-)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 2af5100..959e479 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -453,7 +453,7 @@ static void xennet_tx_setup_grant(unsign
tx->flags = 0;
2015-12-17 08:24:01 +00:00
info->tx = tx;
- info->size += tx->size;
+ info->size += len;
}
2015-12-17 08:24:01 +00:00
static struct xen_netif_tx_request *xennet_make_first_txreq(
2015-12-17 08:24:01 +00:00
@@ -522,7 +524,7 @@ static int xennet_start_xmit(struct sk_b
int slots;
struct page *page;
unsigned int offset;
- unsigned int len;
+ unsigned int len, this_len;
unsigned long flags;
struct netfront_queue *queue = NULL;
unsigned int num_queues = dev->real_num_tx_queues;
@@ -614,14 +614,15 @@ static int xennet_start_xmit(struct sk_b
2015-12-17 08:24:01 +00:00
}
/* First request for the linear area. */
+ this_len = min_t(unsigned int, XEN_PAGE_SIZE - offset, len);
first_tx = tx = xennet_make_first_txreq(queue, skb,
page, offset, len);
- offset += tx->size;
+ offset += this_len;
if (offset == PAGE_SIZE) {
page++;
offset = 0;
}
2015-12-17 08:24:01 +00:00
- len -= tx->size;
+ len -= this_len;
if (skb->ip_summed == CHECKSUM_PARTIAL)
/* local packet? */