From patchwork Wed Oct 12 02:18:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1689016 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=DXG57LQo; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MnGY80NTjz23k3 for ; Wed, 12 Oct 2022 13:18:52 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1oiRKW-0002TE-Go; Wed, 12 Oct 2022 02:18:44 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1oiRKU-0002Rc-Cl for kernel-team@lists.ubuntu.com; Wed, 12 Oct 2022 02:18:42 +0000 Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 0819F3F127 for ; Wed, 12 Oct 2022 02:18:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1665541122; bh=B1XbJFmtNvgntg67mcAfb6GcBGvMDUa0DWXkKStH5Q8=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=DXG57LQoKe/bxErh52oBh2DF7OIpj+sFSkOGoi3N7AlVc1ChsbVUAiVkM/JbGffQI AXpv26vjxq1JXIG+iBlGjmU1JycR17tsVV2zY6NEGa3d/nJo+o6caMeJF01Pj2zLC1 njUcsqyIy62tQUGPdjYQkmP+kHsh+QHmWReLcNRmvybPXQ+q7u6XLejX7rknSOrTdi A2y5rJzxCpyYIDgt3D+fJI7hxFgEZChOpnF4knkL3+Dme/lGnb3li44/H1N0hIPdAy UUhmTeMs2tsrFT1KkUSAiCR3J2CMP3ysMqKd/rM4gQmg0GH3Ju59fR5icpc6PXAUA1 NG1p93NjtP+6g== Received: by mail-ej1-f70.google.com with SMTP id hq13-20020a1709073f0d00b0078dce6a32fcso2405448ejc.13 for ; Tue, 11 Oct 2022 19:18:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B1XbJFmtNvgntg67mcAfb6GcBGvMDUa0DWXkKStH5Q8=; b=Y7+xbECLX6J2rYelxdtiy53pTb026TF7W6iWRtNF4GaT2yhG+GraeKBOQzm8utcxb5 BcHfCF6rPCo6e0GM/6eLuFX7FPMeGPZMaz2KoywDJFhUFQgKsx+KXuiYr3BdJDc2ylQ7 dUbDbyrCianYGmvdETY/zg+yBVYxCXntmgE4LGTmkA1H50SRbgFLGBt/9gTAJB2u/nyu 72x50KkkpmVnWc8UO6SwbtxcPc3QM9U0ArDPOW0g1nCF+5L9WQHDsRH1WCL7jEC0Asvb 9Iq4+XsxyznDMbMqXCAX1W1tdu4VlMxbHu5Kl3blzEWApfmu99+ykl5EK2m5k/ph1/I/ uaKg== X-Gm-Message-State: ACrzQf2TQ3ZIwBwoyXtGGSxUz2e/sZXYgyX2ysv3fHy9zcMJOv7TUTGM gL6qBUEY0oWLM5piX/FG6gVktJMkW/heUVXWcxBgWHxEnOgy0GydbsmGRL6ZUdHu4WZaLyW2ftu oSATbm1S0TdyNmm2+JFYzIiVNrQalFg0KY2mTQRL+Nw== X-Received: by 2002:a17:906:58d2:b0:78d:9d2f:3005 with SMTP id e18-20020a17090658d200b0078d9d2f3005mr13650646ejs.697.1665541121328; Tue, 11 Oct 2022 19:18:41 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4/tKDH0x6hDQ8hM+e2I1cpwItEcR08Wvi58UZkrVwWV8vKZeq9qWUvR3hC8ZxZjfNV62AVrw== X-Received: by 2002:a17:906:58d2:b0:78d:9d2f:3005 with SMTP id e18-20020a17090658d200b0078d9d2f3005mr13650642ejs.697.1665541121122; Tue, 11 Oct 2022 19:18:41 -0700 (PDT) Received: from localhost ([2001:67c:1560:8007::aac:c03c]) by smtp.gmail.com with ESMTPSA id la6-20020a170907780600b007030c97ae62sm434933ejc.191.2022.10.11.19.18.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Oct 2022 19:18:40 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU HWE-5.17 1/1] xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() Date: Wed, 12 Oct 2022 05:18:01 +0300 Message-Id: <20221012021758.55298-3-cengiz.can@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221012021758.55298-1-cengiz.can@canonical.com> References: <20221012021758.55298-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jan Beulich The commit referenced below moved the invocation past the "next" label, without any explanation. In fact this allows misbehaving backends undue control over the domain the frontend runs in, as earlier detected errors require the skb to not be freed (it may be retained for later processing via xennet_move_rx_slot(), or it may simply be unsafe to have it freed). This is CVE-2022-33743 / XSA-405. Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross CVE-2022-33743 (cherry picked from commit f63c2c2032c2e3caad9add3b82cc6e91c376fd26) Signed-off-by: Cengiz Can --- drivers/net/xen-netfront.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index daa4e6106aacc..f8c37f243c445 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -1055,8 +1055,10 @@ static int xennet_get_responses(struct netfront_queue *queue, } } rcu_read_unlock(); -next: + __skb_queue_tail(list, skb); + +next: if (!(rx->flags & XEN_NETRXF_more_data)) break;