Commit 1938d44f authored by Roger Pau Monne's avatar Roger Pau Monne Committed by Zheng Zengkai
Browse files

xen/blkfront: fix leaking data in shared pages 

stable inclusion
from stable-v5.10.129
commit cfea428030be836d79a7690968232bb7fa4410f1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5GLXT
CVE: CVE-2022-26365

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=cfea428030be836d79a7690968232bb7fa4410f1



--------------------------------

commit 2f446ffe upstream.

When allocating pages to be used for shared communication with the
backend always zero them, this avoids leaking unintended data present
on the pages.

This is CVE-2022-26365, part of XSA-403.

Signed-off-by: default avatarRoger Pau Monné <roger.pau@citrix.com>
Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarChenXiaoSong <chenxiaosong2@huawei.com>
Reviewed-by: default avatarXiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 8da2810d

drivers/block/xen-blkfront.c

+4 −3
Original line number Diff line number Diff line
@@ -311,7 +311,7 @@ static int fill_grant_buffer(struct blkfront_ring_info *rinfo, int num) 
			goto out_of_memory;



		if (info->feature_persistent) {

			granted_page = alloc_page(GFP_NOIO);

			granted_page = alloc_page(GFP_NOIO | __GFP_ZERO);

			if (!granted_page) {

				kfree(gnt_list_entry);

				goto out_of_memory;
@@ -1753,7 +1753,7 @@ static int setup_blkring(struct xenbus_device *dev, 
	for (i = 0; i < info->nr_ring_pages; i++)

		rinfo->ring_ref[i] = GRANT_INVALID_REF;



	sring = alloc_pages_exact(ring_size, GFP_NOIO);

	sring = alloc_pages_exact(ring_size, GFP_NOIO | __GFP_ZERO);

	if (!sring) {

		xenbus_dev_fatal(dev, -ENOMEM, "allocating shared ring");

		return -ENOMEM;
@@ -2293,7 +2293,8 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo) 


		BUG_ON(!list_empty(&rinfo->indirect_pages));

		for (i = 0; i < num; i++) {

			struct page *indirect_page = alloc_page(GFP_KERNEL);

			struct page *indirect_page = alloc_page(GFP_KERNEL |

			                                        __GFP_ZERO);

			if (!indirect_page)

				goto out_of_memory;

			list_add(&indirect_page->lru, &rinfo->indirect_pages);