diff --git a/patches.xen/xsa216-linux-4.11.patch b/patches.xen/xsa216-linux-4.11.patch new file mode 100644 index 0000000..27c8003 --- /dev/null +++ b/patches.xen/xsa216-linux-4.11.patch @@ -0,0 +1,113 @@ +From: Jan Beulich +Subject: xen-blkback: don't leak stack data via response ring + +Rather than constructing a local structure instance on the stack, fill +the fields directly on the shared ring, just like other backends do. +Build on the fact that all response structure flavors are actually +identical (the old code did make this assumption too). + +This is XSA-216. + +Signed-off-by: Jan Beulich +Reviewed-by: Konrad Rzeszutek Wilk + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -1436,34 +1436,35 @@ static int dispatch_rw_block_io(struct x + static void make_response(struct xen_blkif_ring *ring, u64 id, + unsigned short op, int st) + { +- struct blkif_response resp; ++ struct blkif_response *resp; + unsigned long flags; + union blkif_back_rings *blk_rings; + int notify; + +- resp.id = id; +- resp.operation = op; +- resp.status = st; +- + spin_lock_irqsave(&ring->blk_ring_lock, flags); + blk_rings = &ring->blk_rings; + /* Place on the response ring for the relevant domain. */ + switch (ring->blkif->blk_protocol) { + case BLKIF_PROTOCOL_NATIVE: +- memcpy(RING_GET_RESPONSE(&blk_rings->native, blk_rings->native.rsp_prod_pvt), +- &resp, sizeof(resp)); ++ resp = RING_GET_RESPONSE(&blk_rings->native, ++ blk_rings->native.rsp_prod_pvt); + break; + case BLKIF_PROTOCOL_X86_32: +- memcpy(RING_GET_RESPONSE(&blk_rings->x86_32, blk_rings->x86_32.rsp_prod_pvt), +- &resp, sizeof(resp)); ++ resp = RING_GET_RESPONSE(&blk_rings->x86_32, ++ blk_rings->x86_32.rsp_prod_pvt); + break; + case BLKIF_PROTOCOL_X86_64: +- memcpy(RING_GET_RESPONSE(&blk_rings->x86_64, blk_rings->x86_64.rsp_prod_pvt), +- &resp, sizeof(resp)); ++ resp = RING_GET_RESPONSE(&blk_rings->x86_64, ++ blk_rings->x86_64.rsp_prod_pvt); + break; + default: + BUG(); + } ++ ++ resp->id = id; ++ resp->operation = op; ++ resp->status = st; ++ + blk_rings->common.rsp_prod_pvt++; + RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blk_rings->common, notify); + spin_unlock_irqrestore(&ring->blk_ring_lock, flags); +--- a/drivers/block/xen-blkback/common.h ++++ b/drivers/block/xen-blkback/common.h +@@ -75,9 +75,8 @@ extern unsigned int xenblk_max_queues; + struct blkif_common_request { + char dummy; + }; +-struct blkif_common_response { +- char dummy; +-}; ++ ++/* i386 protocol version */ + + struct blkif_x86_32_request_rw { + uint8_t nr_segments; /* number of segments */ +@@ -129,14 +128,6 @@ struct blkif_x86_32_request { + } u; + } __attribute__((__packed__)); + +-/* i386 protocol version */ +-#pragma pack(push, 4) +-struct blkif_x86_32_response { +- uint64_t id; /* copied from request */ +- uint8_t operation; /* copied from request */ +- int16_t status; /* BLKIF_RSP_??? */ +-}; +-#pragma pack(pop) + /* x86_64 protocol version */ + + struct blkif_x86_64_request_rw { +@@ -193,18 +184,12 @@ struct blkif_x86_64_request { + } u; + } __attribute__((__packed__)); + +-struct blkif_x86_64_response { +- uint64_t __attribute__((__aligned__(8))) id; +- uint8_t operation; /* copied from request */ +- int16_t status; /* BLKIF_RSP_??? */ +-}; +- + DEFINE_RING_TYPES(blkif_common, struct blkif_common_request, +- struct blkif_common_response); ++ struct blkif_response); + DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request, +- struct blkif_x86_32_response); ++ struct blkif_response __packed); + DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request, +- struct blkif_x86_64_response); ++ struct blkif_response); + + union blkif_back_rings { + struct blkif_back_ring native; diff --git a/series.conf b/series.conf index 7b6a7c2..a4bbaa1 100644 --- a/series.conf +++ b/series.conf @@ -19,7 +19,7 @@ patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to- patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch - +patches.xen/xsa216-linux-4.11.patch # MSI-X enabled device passthrough fix (#1734) patches.xen/pci_op-cleanup.patch