Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1655646pxp; Thu, 10 Mar 2022 09:28:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJyHnxt/fOIsnrc77xnn8V/KrpAmypoXMadFhk6wtndBlCMP+jvAgUBonKxCSpVYCi+VPhyF X-Received: by 2002:a17:907:3e09:b0:6da:83e0:f2a4 with SMTP id hp9-20020a1709073e0900b006da83e0f2a4mr5330960ejc.758.1646933295154; Thu, 10 Mar 2022 09:28:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646933295; cv=none; d=google.com; s=arc-20160816; b=zADyWwjhgv/pQ0cvMBhmW4d2X3vwfqNbuAI3k8mvkVzGRZKek1hYoclxmkfEvWjgAZ nAxKiQZK0+E0CvjLDv9lxmWFxJBH1FtwMxnqu7yEpWwYSQbW8gQZ7usL7yAmfi75zX2y h0LNZAeOoQaV7VWMPNSyNVceZ4AxzZBBOah64QqT/QEUx2cm06BWfRVf6bRqXi0AjP/n 5HgpCZJl2DK6Gfb8bz9BAg0pAEwM2dOFJtTV6ALQllHMMPqpgOKDGppTQiyW5VV1kCFF uQzTX6pq6GnapnaU+41u8Zd1Ocmqm3zK7L66kH+mlFJ4wZNiPB8kDs/ZGvI6JdQuPAUn QU5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8VYJl6zcPyud905tmypMhCbl6zVp1vf+uT5TWpuwkZY=; b=CVrjYC5A7qakJG/+/j/s6ZpB+aheQ2b0NX96J6H0PVKoYgUomgmhfeFvh5h1fvzIdm HFEWO57qjby9R5tiBh5+kcd8kSt/JMSXicL6ICzUs//BPEnvJ1kUSVH1NN06JS6UjUu0 liHeZX1ApzukyE6H3k1BGV5g+23BYZO3aikBJ6LbwJ8UP1yN2/5NxMyK65ByEFlCG4bZ FVOzuxlcKCGF8XA0ZCaI/b1PKmi5u0vnpHpQml0Ez233S5LXgWeDSxg2lZxUBVNMIY7c 0tTRo5yYbLaZGmL4lkpVoa3dZdynQv6GTRyH7sDaopmYXnhWOzB/VK9IWSLIjGr5+En3 8NFA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZvEFQsLi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w10-20020a1709060a0a00b006cfec41b8e4si3356428ejf.951.2022.03.10.09.27.51; Thu, 10 Mar 2022 09:28:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZvEFQsLi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243628AbiCJO0m (ORCPT + 99 others); Thu, 10 Mar 2022 09:26:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243569AbiCJOXD (ORCPT ); Thu, 10 Mar 2022 09:23:03 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E39AB154719; Thu, 10 Mar 2022 06:20:57 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 77869B8267A; Thu, 10 Mar 2022 14:20:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B0D41C340E8; Thu, 10 Mar 2022 14:20:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1646922055; bh=vzSF9NLTj2CC/EtyDWRBsEmCrp/t8LoHmGjSgMq5smc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZvEFQsLis5YjMNjKeX1shlXk+0fhDGbiqpiqPfyarkJOkOvJuT9mL8FVySm+M/ROd Xcu6eVLHo6QXUK5dzfzxjvEx/spQb1i0II9xDqsVl6Qxmr8uRz5wS+1IMjvoc+j0E5 erQLvOUHdbk5htCBKelphdxvApXDvxT9LBNcNTdY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Demi Marie Obenour , Juergen Gross , Jan Beulich Subject: [PATCH 4.14 22/31] xen/xenbus: dont let xenbus_grant_ring() remove grants in error case Date: Thu, 10 Mar 2022 15:18:35 +0100 Message-Id: <20220310140808.186042536@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220310140807.524313448@linuxfoundation.org> References: <20220310140807.524313448@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Juergen Gross Commit 3777ea7bac3113005b7180e6b9dadf16d19a5827 upstream. Letting xenbus_grant_ring() tear down grants in the error case is problematic, as the other side could already have used these grants. Calling gnttab_end_foreign_access_ref() without checking success is resulting in an unclear situation for any caller of xenbus_grant_ring() as in the error case the memory pages of the ring page might be partially mapped. Freeing them would risk unwanted foreign access to them, while not freeing them would leak memory. In order to remove the need to undo any gnttab_grant_foreign_access() calls, use gnttab_alloc_grant_references() to make sure no further error can occur in the loop granting access to the ring pages. It should be noted that this way of handling removes leaking of grant entries in the error case, too. This is CVE-2022-23040 / part of XSA-396. Reported-by: Demi Marie Obenour Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Signed-off-by: Greg Kroah-Hartman --- drivers/xen/xenbus/xenbus_client.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) --- a/drivers/xen/xenbus/xenbus_client.c +++ b/drivers/xen/xenbus/xenbus_client.c @@ -368,7 +368,14 @@ int xenbus_grant_ring(struct xenbus_devi unsigned int nr_pages, grant_ref_t *grefs) { int err; - int i, j; + unsigned int i; + grant_ref_t gref_head; + + err = gnttab_alloc_grant_references(nr_pages, &gref_head); + if (err) { + xenbus_dev_fatal(dev, err, "granting access to ring page"); + return err; + } for (i = 0; i < nr_pages; i++) { unsigned long gfn; @@ -378,23 +385,14 @@ int xenbus_grant_ring(struct xenbus_devi else gfn = virt_to_gfn(vaddr); - err = gnttab_grant_foreign_access(dev->otherend_id, gfn, 0); - if (err < 0) { - xenbus_dev_fatal(dev, err, - "granting access to ring page"); - goto fail; - } - grefs[i] = err; + grefs[i] = gnttab_claim_grant_reference(&gref_head); + gnttab_grant_foreign_access_ref(grefs[i], dev->otherend_id, + gfn, 0); vaddr = vaddr + XEN_PAGE_SIZE; } return 0; - -fail: - for (j = 0; j < i; j++) - gnttab_end_foreign_access_ref(grefs[j], 0); - return err; } EXPORT_SYMBOL_GPL(xenbus_grant_ring);