Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1754508pxp; Thu, 10 Mar 2022 11:27:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJyGlNiUjmfLSx38YK7WROgAuRlJpHKVqnCJETHbxRM1bGrOTJlAkw32cJW3+LPyBCdbAxF0 X-Received: by 2002:a17:90b:4c41:b0:1be:f5d3:78eb with SMTP id np1-20020a17090b4c4100b001bef5d378ebmr17659285pjb.187.1646940468027; Thu, 10 Mar 2022 11:27:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646940468; cv=none; d=google.com; s=arc-20160816; b=QNcfqLeaTke4acoOXoS8tVfl/ywz+rNLeLgZC8opRvusNCG/iJafCXsEuBVs9gWY3T Os+LaF/tu1huRRPRMgEnECkaXXAm/9ZHdly0v/iDtw8UWJ11gd7IM0R5gr4NW1kM7cxI eCKDIGSDJHt2rD7r8HKcyyebWNsBfvPZ7ckFL2gX4ExyVZWvngzUsHcSbiZeF2MesZ/Z N/hlZqNs163he/owq1c6afJh+/H32C8JwC12yaITWhpp+McMapDy/MxwJzfQA+DAxg5Z hSBrDxZC9wj4h0m9bn+cHtyRrlzcP6PKKqdfoyLiUHEvpy9JH1U3PEZDETMwD5kso0oM ppPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qZTSAv5F9q0OUdFDDKTKwF2hz7q3zoUjF39joUkqlg4=; b=iGKQcrHZaO9kg/fR4MjzTD6RzdcGCMkcdcXwhB/CZO23mqDkh9DDjHQK/YTf+6bVoE on2n5STNJQWgi4ThoVMFOSoQvRq0YdJs4v3LOBhmvztX/BOMrGnEAiBTOwo68Oe57In3 JlNQ2xIDKRR1sqmL/M2kQzYk/Q6a+nGrHyK0pVzaHrDpAYM9O/qKeM7AaUmhFw6I8teY NHGY+gCxFLXqvg/8J/NSeOrqElnExu5axDiBS8WDopjVGo+84R7zkIUzd73/Ry/Zhvns yaVJRFDOsOiFMcLDstQWpwQRKgiH1INapuCFnTeVkB7e25rCRMG8IwX1qkOhcfO9GA0G 8+yQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xz3kzhiB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q20-20020a056a00151400b004f6f2ff6a86si6477667pfu.212.2022.03.10.11.27.31; Thu, 10 Mar 2022 11:27:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xz3kzhiB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243687AbiCJOXL (ORCPT + 99 others); Thu, 10 Mar 2022 09:23:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244316AbiCJOTI (ORCPT ); Thu, 10 Mar 2022 09:19:08 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 378BD17227C; Thu, 10 Mar 2022 06:16:03 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BC0D9B8267E; Thu, 10 Mar 2022 14:15:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E2136C340EB; Thu, 10 Mar 2022 14:15:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1646921757; bh=CDnXzzZJMtnbimerPsJ8oEfsOtNph0fXQEXJDIJdPnQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xz3kzhiB8PowkcR8WUdgCl/bQNGBkdmfw1n6y7xL6JX2c9T4VnapyGM7DHqXwGei2 SRQcYU7NgbBKRnkK48NVJ80XVEWSx68mUR5Zsyz7IDV9ft7vz06gkRtRNcUN2ebMXa HvDffPGGawwVRZxlZHXdDV3+mdsndbFCI/gfNNdI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Demi Marie Obenour , Juergen Gross , Jan Beulich Subject: [PATCH 4.9 30/38] xen/xenbus: dont let xenbus_grant_ring() remove grants in error case Date: Thu, 10 Mar 2022 15:13:43 +0100 Message-Id: <20220310140809.016459163@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220310140808.136149678@linuxfoundation.org> References: <20220310140808.136149678@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Juergen Gross Commit 3777ea7bac3113005b7180e6b9dadf16d19a5827 upstream. Letting xenbus_grant_ring() tear down grants in the error case is problematic, as the other side could already have used these grants. Calling gnttab_end_foreign_access_ref() without checking success is resulting in an unclear situation for any caller of xenbus_grant_ring() as in the error case the memory pages of the ring page might be partially mapped. Freeing them would risk unwanted foreign access to them, while not freeing them would leak memory. In order to remove the need to undo any gnttab_grant_foreign_access() calls, use gnttab_alloc_grant_references() to make sure no further error can occur in the loop granting access to the ring pages. It should be noted that this way of handling removes leaking of grant entries in the error case, too. This is CVE-2022-23040 / part of XSA-396. Reported-by: Demi Marie Obenour Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Signed-off-by: Greg Kroah-Hartman --- drivers/xen/xenbus/xenbus_client.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) --- a/drivers/xen/xenbus/xenbus_client.c +++ b/drivers/xen/xenbus/xenbus_client.c @@ -387,7 +387,14 @@ int xenbus_grant_ring(struct xenbus_devi unsigned int nr_pages, grant_ref_t *grefs) { int err; - int i, j; + unsigned int i; + grant_ref_t gref_head; + + err = gnttab_alloc_grant_references(nr_pages, &gref_head); + if (err) { + xenbus_dev_fatal(dev, err, "granting access to ring page"); + return err; + } for (i = 0; i < nr_pages; i++) { unsigned long gfn; @@ -397,23 +404,14 @@ int xenbus_grant_ring(struct xenbus_devi else gfn = virt_to_gfn(vaddr); - err = gnttab_grant_foreign_access(dev->otherend_id, gfn, 0); - if (err < 0) { - xenbus_dev_fatal(dev, err, - "granting access to ring page"); - goto fail; - } - grefs[i] = err; + grefs[i] = gnttab_claim_grant_reference(&gref_head); + gnttab_grant_foreign_access_ref(grefs[i], dev->otherend_id, + gfn, 0); vaddr = vaddr + XEN_PAGE_SIZE; } return 0; - -fail: - for (j = 0; j < i; j++) - gnttab_end_foreign_access_ref(grefs[j], 0); - return err; } EXPORT_SYMBOL_GPL(xenbus_grant_ring);