From patchwork Fri Oct 14 23:48:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1690232 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=f+SZcvY/; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mq35157SYz23kF for ; Sat, 15 Oct 2022 10:49:09 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ojUQJ-00007O-CI; Fri, 14 Oct 2022 23:49:03 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ojUQI-00007D-BF for kernel-team@lists.ubuntu.com; Fri, 14 Oct 2022 23:49:02 +0000 Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DCCB13F116 for ; Fri, 14 Oct 2022 23:49:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1665791341; bh=S2ijzIYAWowI4NnlQobmNA+sxhWlzOM+yCPaZ7tud68=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=f+SZcvY/4QmIOp5GMoV3jvmARmD0eFCABXpU6/oXyRbXDBT2aIJoj7PDyXB6xU1/t Gp+kyKl8BaSlr4gh9V82tU0u4EspG0RLtmVXsVhnnheDo5nGOOZJHW0Je5hFzTYeV2 xTJmKQZ2eqpzs8PFdz7r2NibGroukcvL46cKlgV42MTSFW2gHAZg+K7dXB1Gsoq0tF 2p0WFiZI8JQ4YtRzrwFTXZDSl3XqOx8COOrv2YByPe6scpUAKiXcl+RHO0OCbDHQvr G0/Im4IIhSknwuqi8LXI4s2rYjj+Wdr1GQLDIeQbM1tg0vvZr+kGb4hwTAJ8TE/E7f nUQknGkaxmS9A== Received: by mail-wm1-f69.google.com with SMTP id c130-20020a1c3588000000b003b56be513e1so3805077wma.0 for ; Fri, 14 Oct 2022 16:49:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S2ijzIYAWowI4NnlQobmNA+sxhWlzOM+yCPaZ7tud68=; b=Q5RYtm+tpX0Emeb+w4jSMrHKi85hXjS3u7Xy3VGkxeCYK6V21+piYWTQhU7rQBpQry Kb3TpaKQ3PckbUPPsImGeMJB8vvnrYFj/AIiZAUGHELngZgVU+UvjDXiKvfzEmZt5Jda 261yEx7y9GO4tTv37Tpc3GmMOnTNtfZL7uFdKewNZLA+w0CJfY88LqO2D0PeevaQpwrL DGNXnbocSvM5B+qW9zWabmhz1KaOfy3wes7FRgzTt0ZJqWuOjr6tJ+46lJa9pgbScwYB KXoqKz6qeeYhGBH2EHPvnUC4+xlcbrWT84DF25sEAIrBBTaUR3faO+3eJKa+qP1Apl8m kwMg== X-Gm-Message-State: ACrzQf267MYCSCjK1LxtI9aYGiZm2gAHa0+KmmihBgck5aLOeAXST+NQ 3p+1xN4pmM58+EqM8PfeW1R+QloQBs0uhoMO0UrvLiIpbqMiOjy+cR168M3izp6UHadOXeXPliU HYyq4hdU8X50eF3kdSjN6/5/pwE8ah0b/ZV2DP6VTJA== X-Received: by 2002:a5d:5390:0:b0:22e:327f:849b with SMTP id d16-20020a5d5390000000b0022e327f849bmr90651wrv.381.1665791340948; Fri, 14 Oct 2022 16:49:00 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5oYax7NMuCEJudgXu7v8bbUddsF42aGdTTNs4TCpSSNeVE/iyRSeeETJwqnhIPVg304deYPA== X-Received: by 2002:a5d:5390:0:b0:22e:327f:849b with SMTP id d16-20020a5d5390000000b0022e327f849bmr90643wrv.381.1665791340764; Fri, 14 Oct 2022 16:49:00 -0700 (PDT) Received: from localhost ([2001:67c:1560:8007::aac:c03c]) by smtp.gmail.com with ESMTPSA id az25-20020a05600c601900b003b497138093sm3261224wmb.47.2022.10.14.16.48.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 14 Oct 2022 16:49:00 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-5.14 1/1] xen/blkfront: fix leaking data in shared pages Date: Sat, 15 Oct 2022 02:48:42 +0300 Message-Id: <20221014234841.96935-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221014234841.96935-1-cengiz.can@canonical.com> References: <20221014234841.96935-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Roger Pau Monne When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-26365, part of XSA-403. Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross CVE-2022-26365 (cherry picked from commit 2f446ffe9d737e9a844b97887919c4fda18246e7) Signed-off-by: Cengiz Can --- drivers/block/xen-blkfront.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c index 59da93cfc816c..c3ca2f1882aad 100644 --- a/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c @@ -309,7 +309,7 @@ static int fill_grant_buffer(struct blkfront_ring_info *rinfo, int num) goto out_of_memory; if (info->feature_persistent) { - granted_page = alloc_page(GFP_NOIO); + granted_page = alloc_page(GFP_NOIO | __GFP_ZERO); if (!granted_page) { kfree(gnt_list_entry); goto out_of_memory; @@ -2146,7 +2146,8 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo) BUG_ON(!list_empty(&rinfo->indirect_pages)); for (i = 0; i < num; i++) { - struct page *indirect_page = alloc_page(GFP_KERNEL); + struct page *indirect_page = alloc_page(GFP_KERNEL | + __GFP_ZERO); if (!indirect_page) goto out_of_memory; list_add(&indirect_page->lru, &rinfo->indirect_pages);