Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp1250494imw; Tue, 5 Jul 2022 06:26:21 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vys8uSCIacs3CbS98R8ZGhFvO1ANHQVyuUwAn56K07UyFoOQozM4EU1KH/LpHZEnSI9dtM X-Received: by 2002:a17:906:c14f:b0:726:a609:a369 with SMTP id dp15-20020a170906c14f00b00726a609a369mr34255204ejc.326.1657027580714; Tue, 05 Jul 2022 06:26:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657027580; cv=none; d=google.com; s=arc-20160816; b=lusaDrHfCLcr0J42H011banX3nvvAGcA5/WPex+sWfP3qYvM1SamAAg5BW5P0SLrcw aUBGVAuVfO3yn413OYGJRi7PZKF7cDJEY3rhZi9XmLRkNIm5DlRsRye+cfRtuqIGzkJ7 X16Xpw6ifh3Nga8UfeXsABMZ+SqBrq/5RXl/7jxTsJSAmghkU7WOXPBFAqqrtIk6A99C LUCltx7lNXJ9guxnaBWefSpSbKIKhCsCoWvWzHcepxOE+MsIxLPFCfGgV2D/S6R63PvO JAa8uPrZVfi2I/JJ1ItgZgP0D7rvEPv2juq7hxf/HbU0gq46ULtPLswuVq9tGWm1n/gs /ghw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4jaLSrQLV50hZ2Uz8v61HBjdXUBcaIsR7MjHRGaFdis=; b=Al+xL2yVkKcPceE3wgcWN+rVySh8J5u+PPmDeG2aPGxgXOacmTZQYOnp7LoKONKitB D4q9kKJFO39s6Li8rudJ2PARgrxs+k8xpkXjkmPgx9sUdMMKRwtQ2vF0gvTBzhNIaMLu DbBtuFXaHhd5B9JIYaPQxK5fLvZCO7oOPKkny4Qb6roQj8WTmBsCxDugkEmRFWUdLuk/ aWKvMAIK4iHopr3YfLQHJ7lsCcptD2x79O9r027IqrJyINzmpDKdmooifFgTP3lVcscS RXFbSJDI+4Jm3dJMoYvOOyH3vPHdAHM/t+GTgbKlk0RcxzM6uUBq1dVAjbthEf84qzrn xrug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=adMY5yx5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nb7-20020a1709071c8700b0072636d48d28si6474281ejc.453.2022.07.05.06.25.54; Tue, 05 Jul 2022 06:26:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=adMY5yx5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237519AbiGEMTS (ORCPT + 99 others); Tue, 5 Jul 2022 08:19:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235135AbiGEML0 (ORCPT ); Tue, 5 Jul 2022 08:11:26 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D69019291; Tue, 5 Jul 2022 05:10:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DD6D3B817C7; Tue, 5 Jul 2022 12:10:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 34D5EC341C7; Tue, 5 Jul 2022 12:10:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1657023005; bh=ZxJNrdgMiyPXeyI/MxyTOs7moBMFs7SG2YA8K8smP94=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=adMY5yx5B0MLaSgQPjCBbdmojjDdaUSCJDdN59lN9a/BBs/ALVSsMM01zin+H0G7H yzaNkARJngMgwCHTKioL3Cy8ujTJQqE21uhFdTU1xlCLF4SXJvLnTPkxwh+XU82G7N 1ttIXza2NfqOXoup5eg5+U03PjykgGcwcUwL3R9s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jan Beulich , Juergen Gross Subject: [PATCH 5.10 80/84] xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() Date: Tue, 5 Jul 2022 13:58:43 +0200 Message-Id: <20220705115617.653866894@linuxfoundation.org> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220705115615.323395630@linuxfoundation.org> References: <20220705115615.323395630@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jan Beulich commit f63c2c2032c2e3caad9add3b82cc6e91c376fd26 upstream. The commit referenced below moved the invocation past the "next" label, without any explanation. In fact this allows misbehaving backends undue control over the domain the frontend runs in, as earlier detected errors require the skb to not be freed (it may be retained for later processing via xennet_move_rx_slot(), or it may simply be unsafe to have it freed). This is CVE-2022-33743 / XSA-405. Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman --- drivers/net/xen-netfront.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -1096,8 +1096,10 @@ static int xennet_get_responses(struct n } } rcu_read_unlock(); -next: + __skb_queue_tail(list, skb); + +next: if (!(rx->flags & XEN_NETRXF_more_data)) break;