xen-netback: don't produce zero-size SKB frags
stable inclusion from stable-v4.19.306 commit 5bb8270789c88c0e4ad78c0de2f274f2275c7f6c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YCSC CVE: CVE-2023-46838 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5bb8270789c88c0e4ad78c0de2f274f2275c7f6c -------------------------------- commit c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a upstream. While frontends may submit zero-size requests (wasting a precious slot), core networking code as of at least 3ece7826 ("sock: skb_copy_ubufs support for compound pages") can't deal with SKBs when they have all zero-size fragments. Respond to empty requests right when populating fragments; all further processing is fragment based and hence won't encounter these empty requests anymore. In a way this should have been that way from the beginning: When no data is to be transferred for a particular request, there's not even a point in validating the respective grant ref. That's no different from e.g. passing NULL into memcpy() when at the same time the size is 0. This is XSA-448 / CVE-2023-46838. Cc: stable@vger.kernel.org Signed-off-by:Jan Beulich <jbeulich@suse.com> Reviewed-by:
Loading
Please sign in to comment