APPLIED: [SRU HWE-5.17 1/1] xen/blkfront: fix leaking data in shared pages

Stefan Bader stefan.bader at canonical.com
Fri Nov 11 12:00:26 UTC 2022 

On 15.10.22 01:48, Cengiz Can wrote:
> From: Roger Pau Monne <roger.pau at citrix.com>
> 
> When allocating pages to be used for shared communication with the
> backend always zero them, this avoids leaking unintended data present
> on the pages.
> 
> This is CVE-2022-26365, part of XSA-403.
> 
> Signed-off-by: Roger Pau Monné <roger.pau at citrix.com>
> Reviewed-by: Jan Beulich <jbeulich at suse.com>
> Reviewed-by: Juergen Gross <jgross at suse.com>
> Signed-off-by: Juergen Gross <jgross at suse.com>
> CVE-2022-26365
> (cherry picked from commit 2f446ffe9d737e9a844b97887919c4fda18246e7)
> Signed-off-by: Cengiz Can <cengiz.can at canonical.com>
> ---

Applied to jammy:linux-hwe-5.17/hwe-5.15-next. Thanks.

-Stefan

>   drivers/block/xen-blkfront.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
> index 03b5fb341e589..380fbc425bcc5 100644
> --- a/drivers/block/xen-blkfront.c
> +++ b/drivers/block/xen-blkfront.c
> @@ -313,7 +313,7 @@ static int fill_grant_buffer(struct blkfront_ring_info *rinfo, int num)
>   			goto out_of_memory;
>   
>   		if (info->feature_persistent) {
> -			granted_page = alloc_page(GFP_NOIO);
> +			granted_page = alloc_page(GFP_NOIO | __GFP_ZERO);
>   			if (!granted_page) {
>   				kfree(gnt_list_entry);
>   				goto out_of_memory;
> @@ -2204,7 +2204,8 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo)
>   
>   		BUG_ON(!list_empty(&rinfo->indirect_pages));
>   		for (i = 0; i < num; i++) {
> -			struct page *indirect_page = alloc_page(GFP_KERNEL);
> +			struct page *indirect_page = alloc_page(GFP_KERNEL |
> +								__GFP_ZERO);
>   			if (!indirect_page)
>   				goto out_of_memory;
>   			list_add(&indirect_page->lru, &rinfo->indirect_pages);

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20221111/48f4bc4a/attachment.sig>

More information about the kernel-team mailing list