Received: by 2002:ac2:48a3:0:0:0:0:0 with SMTP id u3csp553773lfg; Fri, 11 Mar 2022 13:04:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJz2/IpHyvIYcOQBKdFLMpHRtYPyWNs/1dNHoirR5m4/BApyjm4UEMIXaMcP4kBvNiQ/whRu X-Received: by 2002:a05:6a00:23c5:b0:4f7:b50:e5f3 with SMTP id g5-20020a056a0023c500b004f70b50e5f3mr12284430pfc.36.1647032694146; Fri, 11 Mar 2022 13:04:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647032694; cv=none; d=google.com; s=arc-20160816; b=k9tUgajWc+d8i4tn/U95e5fXLxov4LyOb4ZSiOjAwKmNuYLEw5TQY6XR0pMQhCpjDI tvULwvLK1/t6eG/JMWAynXtJRpc98pB8/2pDL/7LJIOvHTOhgYSm6H6sRgEuQfFcYb5A mdPovRkU0ONUU5SDbimrpFQQVTjeePTaST19b6qGKeClLmzPUMOXLyvjDTfIp1ZjVfiN cNndbEpnD7uVmmxvRNZAPXDDM9DJm07ROZicif3ehTKWCyEENZn0TZtJE2FgPRhEll6C XUlfEcZH1ULg2Bhq0Y8tcN2T5P67Fvu+c2FG2T2d20E8qIi80+Su2F6TaWuKdDvsnINY DqgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8VYJl6zcPyud905tmypMhCbl6zVp1vf+uT5TWpuwkZY=; b=NJRyyHXhLkYlPD1QBMPS+wB0vtMVlnkdAjGFsWvSFBEVxQZehXxn9dfMBM0ifRaF64 nPZIKuyGGRFzsWehcubZRzpFj9XF0Hm6Y1DH3ACIT/UPhnG4V0krN67g+LXiMppxkW5A SD/6YDrCQuXuF4kl4UJ+qBALtfqWkyqknYqjjQiS1DCDtmzDEUogcdih+OwAL4e/HwYA 4iumd+08kI2kEIBoZ5PWyQW5Q5RhZ8l7Vv/ZATWDiRhDJsAg8HlZWcslPpsiU8ZNP/MW ucYE5vfYNegij3/pPXe1TYr/YrGpARzdQ/d0gXq82/S7d4jFRvKJ83fAGuvYKre7CxRG v4LA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="yYil//Fh"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id e3-20020a63d943000000b003758cfb5bc5si8678260pgj.524.2022.03.11.13.04.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 13:04:54 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="yYil//Fh"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 887C51786BE; Fri, 11 Mar 2022 12:50:03 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243962AbiCJOcd (ORCPT + 99 others); Thu, 10 Mar 2022 09:32:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243742AbiCJO1b (ORCPT ); Thu, 10 Mar 2022 09:27:31 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8D038D6A9; Thu, 10 Mar 2022 06:22:40 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7361AB8254A; Thu, 10 Mar 2022 14:22:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DA46FC340E8; Thu, 10 Mar 2022 14:22:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1646922153; bh=vzSF9NLTj2CC/EtyDWRBsEmCrp/t8LoHmGjSgMq5smc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yYil//FhHNQgskWVGMnyLggedC0twC8n6HLEdQKLuwd5JNd7H66Vzr4NwgDzzylGC sNT/iA7J1Y0nyAesDzbcuLnkBzsaoriSscdfcXCxWZLAKBvT7ZiU8YXG0i0KEexXc+ Ybya3Zatq2ojfrJjr6mhNYzqVkvi7FR3U/Sthznw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Demi Marie Obenour , Juergen Gross , Jan Beulich Subject: [PATCH 4.19 23/33] xen/xenbus: dont let xenbus_grant_ring() remove grants in error case Date: Thu, 10 Mar 2022 15:18:50 +0100 Message-Id: <20220310140808.426358398@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220310140807.749164737@linuxfoundation.org> References: <20220310140807.749164737@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Juergen Gross Commit 3777ea7bac3113005b7180e6b9dadf16d19a5827 upstream. Letting xenbus_grant_ring() tear down grants in the error case is problematic, as the other side could already have used these grants. Calling gnttab_end_foreign_access_ref() without checking success is resulting in an unclear situation for any caller of xenbus_grant_ring() as in the error case the memory pages of the ring page might be partially mapped. Freeing them would risk unwanted foreign access to them, while not freeing them would leak memory. In order to remove the need to undo any gnttab_grant_foreign_access() calls, use gnttab_alloc_grant_references() to make sure no further error can occur in the loop granting access to the ring pages. It should be noted that this way of handling removes leaking of grant entries in the error case, too. This is CVE-2022-23040 / part of XSA-396. Reported-by: Demi Marie Obenour Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Signed-off-by: Greg Kroah-Hartman --- drivers/xen/xenbus/xenbus_client.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) --- a/drivers/xen/xenbus/xenbus_client.c +++ b/drivers/xen/xenbus/xenbus_client.c @@ -368,7 +368,14 @@ int xenbus_grant_ring(struct xenbus_devi unsigned int nr_pages, grant_ref_t *grefs) { int err; - int i, j; + unsigned int i; + grant_ref_t gref_head; + + err = gnttab_alloc_grant_references(nr_pages, &gref_head); + if (err) { + xenbus_dev_fatal(dev, err, "granting access to ring page"); + return err; + } for (i = 0; i < nr_pages; i++) { unsigned long gfn; @@ -378,23 +385,14 @@ int xenbus_grant_ring(struct xenbus_devi else gfn = virt_to_gfn(vaddr); - err = gnttab_grant_foreign_access(dev->otherend_id, gfn, 0); - if (err < 0) { - xenbus_dev_fatal(dev, err, - "granting access to ring page"); - goto fail; - } - grefs[i] = err; + grefs[i] = gnttab_claim_grant_reference(&gref_head); + gnttab_grant_foreign_access_ref(grefs[i], dev->otherend_id, + gfn, 0); vaddr = vaddr + XEN_PAGE_SIZE; } return 0; - -fail: - for (j = 0; j < i; j++) - gnttab_end_foreign_access_ref(grefs[j], 0); - return err; } EXPORT_SYMBOL_GPL(xenbus_grant_ring);