Apply XSA 216 patch
This commit is contained in:
Marek Marczykowski-Górecki
parent
33a7122238
commit
98cd82b126
113
patches.xen/xsa216-linux-4.11.patch
Normal file
113
patches.xen/xsa216-linux-4.11.patch
Normal file
@ -0,0 +1,113 @@
|
|||||||
|
From: Jan Beulich <jbeulich@suse.com>
|
||||||
|
Subject: xen-blkback: don't leak stack data via response ring
|
||||||
|
|
||||||
|
Rather than constructing a local structure instance on the stack, fill
|
||||||
|
the fields directly on the shared ring, just like other backends do.
|
||||||
|
Build on the fact that all response structure flavors are actually
|
||||||
|
identical (the old code did make this assumption too).
|
||||||
|
|
||||||
|
This is XSA-216.
|
||||||
|
|
||||||
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
||||||
|
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
||||||
|
|
||||||
|
--- a/drivers/block/xen-blkback/blkback.c
|
||||||
|
+++ b/drivers/block/xen-blkback/blkback.c
|
||||||
|
@@ -1436,34 +1436,35 @@ static int dispatch_rw_block_io(struct x
|
||||||
|
static void make_response(struct xen_blkif_ring *ring, u64 id,
|
||||||
|
unsigned short op, int st)
|
||||||
|
{
|
||||||
|
- struct blkif_response resp;
|
||||||
|
+ struct blkif_response *resp;
|
||||||
|
unsigned long flags;
|
||||||
|
union blkif_back_rings *blk_rings;
|
||||||
|
int notify;
|
||||||
|
|
||||||
|
- resp.id = id;
|
||||||
|
- resp.operation = op;
|
||||||
|
- resp.status = st;
|
||||||
|
-
|
||||||
|
spin_lock_irqsave(&ring->blk_ring_lock, flags);
|
||||||
|
blk_rings = &ring->blk_rings;
|
||||||
|
/* Place on the response ring for the relevant domain. */
|
||||||
|
switch (ring->blkif->blk_protocol) {
|
||||||
|
case BLKIF_PROTOCOL_NATIVE:
|
||||||
|
- memcpy(RING_GET_RESPONSE(&blk_rings->native, blk_rings->native.rsp_prod_pvt),
|
||||||
|
- &resp, sizeof(resp));
|
||||||
|
+ resp = RING_GET_RESPONSE(&blk_rings->native,
|
||||||
|
+ blk_rings->native.rsp_prod_pvt);
|
||||||
|
break;
|
||||||
|
case BLKIF_PROTOCOL_X86_32:
|
||||||
|
- memcpy(RING_GET_RESPONSE(&blk_rings->x86_32, blk_rings->x86_32.rsp_prod_pvt),
|
||||||
|
- &resp, sizeof(resp));
|
||||||
|
+ resp = RING_GET_RESPONSE(&blk_rings->x86_32,
|
||||||
|
+ blk_rings->x86_32.rsp_prod_pvt);
|
||||||
|
break;
|
||||||
|
case BLKIF_PROTOCOL_X86_64:
|
||||||
|
- memcpy(RING_GET_RESPONSE(&blk_rings->x86_64, blk_rings->x86_64.rsp_prod_pvt),
|
||||||
|
- &resp, sizeof(resp));
|
||||||
|
+ resp = RING_GET_RESPONSE(&blk_rings->x86_64,
|
||||||
|
+ blk_rings->x86_64.rsp_prod_pvt);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
BUG();
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ resp->id = id;
|
||||||
|
+ resp->operation = op;
|
||||||
|
+ resp->status = st;
|
||||||
|
+
|
||||||
|
blk_rings->common.rsp_prod_pvt++;
|
||||||
|
RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blk_rings->common, notify);
|
||||||
|
spin_unlock_irqrestore(&ring->blk_ring_lock, flags);
|
||||||
|
--- a/drivers/block/xen-blkback/common.h
|
||||||
|
+++ b/drivers/block/xen-blkback/common.h
|
||||||
|
@@ -75,9 +75,8 @@ extern unsigned int xenblk_max_queues;
|
||||||
|
struct blkif_common_request {
|
||||||
|
char dummy;
|
||||||
|
};
|
||||||
|
-struct blkif_common_response {
|
||||||
|
- char dummy;
|
||||||
|
-};
|
||||||
|
+
|
||||||
|
+/* i386 protocol version */
|
||||||
|
|
||||||
|
struct blkif_x86_32_request_rw {
|
||||||
|
uint8_t nr_segments; /* number of segments */
|
||||||
|
@@ -129,14 +128,6 @@ struct blkif_x86_32_request {
|
||||||
|
} u;
|
||||||
|
} __attribute__((__packed__));
|
||||||
|
|
||||||
|
-/* i386 protocol version */
|
||||||
|
-#pragma pack(push, 4)
|
||||||
|
-struct blkif_x86_32_response {
|
||||||
|
- uint64_t id; /* copied from request */
|
||||||
|
- uint8_t operation; /* copied from request */
|
||||||
|
- int16_t status; /* BLKIF_RSP_??? */
|
||||||
|
-};
|
||||||
|
-#pragma pack(pop)
|
||||||
|
/* x86_64 protocol version */
|
||||||
|
|
||||||
|
struct blkif_x86_64_request_rw {
|
||||||
|
@@ -193,18 +184,12 @@ struct blkif_x86_64_request {
|
||||||
|
} u;
|
||||||
|
} __attribute__((__packed__));
|
||||||
|
|
||||||
|
-struct blkif_x86_64_response {
|
||||||
|
- uint64_t __attribute__((__aligned__(8))) id;
|
||||||
|
- uint8_t operation; /* copied from request */
|
||||||
|
- int16_t status; /* BLKIF_RSP_??? */
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
|
||||||
|
- struct blkif_common_response);
|
||||||
|
+ struct blkif_response);
|
||||||
|
DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
|
||||||
|
- struct blkif_x86_32_response);
|
||||||
|
+ struct blkif_response __packed);
|
||||||
|
DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
|
||||||
|
- struct blkif_x86_64_response);
|
||||||
|
+ struct blkif_response);
|
||||||
|
|
||||||
|
union blkif_back_rings {
|
||||||
|
struct blkif_back_ring native;
|
||||||
@ -19,7 +19,7 @@ patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to-
|
|||||||
patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch
|
patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch
|
||||||
patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch
|
patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch
|
||||||
patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch
|
patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch
|
||||||
|
patches.xen/xsa216-linux-4.11.patch
|
||||||
|
|
||||||
# MSI-X enabled device passthrough fix (#1734)
|
# MSI-X enabled device passthrough fix (#1734)
|
||||||
patches.xen/pci_op-cleanup.patch
|
patches.xen/pci_op-cleanup.patch
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user