version 4.14.103-1
This commit is contained in:
parent
dd856cb424
commit
732416c1bd
@ -70,8 +70,8 @@ index 6cc9478..94fb536 100644
|
|||||||
|
|
||||||
# actual build commands
|
# actual build commands
|
||||||
quiet_cmd_vdso32ld = VDSO32L $@
|
quiet_cmd_vdso32ld = VDSO32L $@
|
||||||
- cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $^ -o $@
|
- cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@
|
||||||
+ cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ \
|
+ cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@ \
|
||||||
+ $(if $(AFTER_LINK),; $(AFTER_LINK))
|
+ $(if $(AFTER_LINK),; $(AFTER_LINK))
|
||||||
quiet_cmd_vdso32as = VDSO32A $@
|
quiet_cmd_vdso32as = VDSO32A $@
|
||||||
cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $<
|
cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $<
|
||||||
@ -84,8 +84,8 @@ index 2d54c18..a0e3e9d 100644
|
|||||||
|
|
||||||
# actual build commands
|
# actual build commands
|
||||||
quiet_cmd_vdso64ld = VDSO64L $@
|
quiet_cmd_vdso64ld = VDSO64L $@
|
||||||
- cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $^ -o $@
|
- cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@
|
||||||
+ cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ \
|
+ cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@ \
|
||||||
+ $(if $(AFTER_LINK),; $(AFTER_LINK))
|
+ $(if $(AFTER_LINK),; $(AFTER_LINK))
|
||||||
quiet_cmd_vdso64as = VDSO64A $@
|
quiet_cmd_vdso64as = VDSO64A $@
|
||||||
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
|
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
|
||||||
|
@ -1,49 +0,0 @@
|
|||||||
From: Jan Beulich <jbeulich@suse.com>
|
|
||||||
Subject: xen-netback: fix input validation in xenvif_set_hash_mapping()
|
|
||||||
|
|
||||||
Both len and off are frontend specified values, so we need to make
|
|
||||||
sure there's no overflow when adding the two for the bounds check. We
|
|
||||||
also want to avoid undefined behavior and hence use off to index into
|
|
||||||
->hash.mapping[] only after bounds checking. This at the same time
|
|
||||||
allows to take care of not applying off twice for the bounds checking
|
|
||||||
against vif->num_queues.
|
|
||||||
|
|
||||||
It is also insufficient to bounds check copy_op.len, as this is len
|
|
||||||
truncated to 16 bits.
|
|
||||||
|
|
||||||
This is XSA-270.
|
|
||||||
|
|
||||||
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
||||||
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
|
|
||||||
Tested-by: Paul Durrant <paul.durrant@citrix.com>
|
|
||||||
|
|
||||||
--- a/drivers/net/xen-netback/hash.c
|
|
||||||
+++ b/drivers/net/xen-netback/hash.c
|
|
||||||
@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct
|
|
||||||
u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len,
|
|
||||||
u32 off)
|
|
||||||
{
|
|
||||||
- u32 *mapping = &vif->hash.mapping[off];
|
|
||||||
+ u32 *mapping = vif->hash.mapping;
|
|
||||||
struct gnttab_copy copy_op = {
|
|
||||||
.source.u.ref = gref,
|
|
||||||
.source.domid = vif->domid,
|
|
||||||
- .dest.u.gmfn = virt_to_gfn(mapping),
|
|
||||||
.dest.domid = DOMID_SELF,
|
|
||||||
- .dest.offset = xen_offset_in_page(mapping),
|
|
||||||
- .len = len * sizeof(u32),
|
|
||||||
+ .len = len * sizeof(*mapping),
|
|
||||||
.flags = GNTCOPY_source_gref
|
|
||||||
};
|
|
||||||
|
|
||||||
- if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE)
|
|
||||||
+ if ((off + len < off) || (off + len > vif->hash.size) ||
|
|
||||||
+ len > XEN_PAGE_SIZE / sizeof(*mapping))
|
|
||||||
return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
|
|
||||||
|
|
||||||
+ copy_op.dest.u.gmfn = virt_to_gfn(mapping + off);
|
|
||||||
+ copy_op.dest.offset = xen_offset_in_page(mapping + off);
|
|
||||||
+
|
|
||||||
while (len-- != 0)
|
|
||||||
if (mapping[off++] >= vif->num_queues)
|
|
||||||
return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
|
|
@ -18,7 +18,6 @@ patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to-
|
|||||||
patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch
|
patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch
|
||||||
patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch
|
patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch
|
||||||
patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch
|
patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch
|
||||||
patches.xen/xsa270.patch
|
|
||||||
|
|
||||||
# MSI-X enabled device passthrough fix (#1734)
|
# MSI-X enabled device passthrough fix (#1734)
|
||||||
patches.xen/pci_op-cleanup.patch
|
patches.xen/pci_op-cleanup.patch
|
||||||
|
Loading…
Reference in New Issue
Block a user