APPLIED [OEM-5.14] Re: [SRU OEM-5.14/HWE-5.17 0/1] CVE-2022-26365
Timo Aaltonen
tjaalton at ubuntu.com
Tue Nov 29 15:06:50 UTC 2022
Cengiz Can kirjoitti 15.10.2022 klo 2.48:
> [Impact]
> Linux disk/nic frontends data leaks [This CNA information record relates
> to multiple CVEs; the text explains which aspects/vulnerabilities
> correspond to which CVE.] Linux Block and Network PV device frontends
> don’t zero memory regions before sharing them with the backend
> (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the
> grant table doesn’t allow sharing less than a 4K page, leading to
> unrelated data residing in the same 4K page as data shared with a
> backend being accessible by such backend (CVE-2022-33741,
> CVE-2022-33742).
>
> [Fix]
> This is the first fix in a chain of CVEs. It is already in all except
> oem-5.14 and hwe-5.17.
>
> [Test case]
> Compile and boot tested on KVM only.
>
> [Potential regression]
> Low. Since it only forces two page allocations to be zeroed first.
>
> Roger Pau Monne (1):
> xen/blkfront: fix leaking data in shared pages
>
> drivers/block/xen-blkfront.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
applied to oem-5.14, thanks
--
t
More information about the kernel-team
mailing list