NACK[H]: [PATCH][H/G/F/X] xen-blkback: don't leak persistent grants from xen_blkbk_map()
Andrea Righi
andrea.righi at canonical.com
Wed Apr 7 06:26:14 UTC 2021
Already applied to hirsute/5.11 via stable updates.
-Andrea
On Thu, Apr 01, 2021 at 10:08:44AM -0600, Tim Gardner wrote:
> From: Jan Beulich <jbeulich at suse.com>
>
> CVE-2021-28688
>
> The fix for XSA-365 zapped too many of the ->persistent_gnt[] entries.
> Ones successfully obtained should not be overwritten, but instead left
> for xen_blkbk_unmap_prepare() to pick up and put.
>
> This is XSA-371.
>
> Signed-off-by: Jan Beulich <jbeulich at suse.com>
> Cc: stable at vger.kernel.org
> Reviewed-by: Juergen Gross <jgross at suse.com>
> Reviewed-by: Wei Liu <wl at xen.org>
> Signed-off-by: Juergen Gross <jgross at suse.com>
> (cherry picked from commit a846738f8c3788d846ed1f587270d2f2e3d32432)
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
> drivers/block/xen-blkback/blkback.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
> index da16121140ca..3874233f7194 100644
> --- a/drivers/block/xen-blkback/blkback.c
> +++ b/drivers/block/xen-blkback/blkback.c
> @@ -891,7 +891,7 @@ static int xen_blkbk_map(struct xen_blkif_ring *ring,
> out:
> for (i = last_map; i < num; i++) {
> /* Don't zap current batch's valid persistent grants. */
> - if(i >= last_map + segs_to_map)
> + if(i >= map_until)
> pages[i]->persistent_gnt = NULL;
> pages[i]->handle = BLKBACK_INVALID_HANDLE;
> }
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list