[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.12] xen/grant-table: Only decrement the refcounter when grant is fully unmapped

commit ff626ec7f2777ef7de85f6d485c5e788738af0c3
Author:     Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Tue Jan 25 14:47:09 2022 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jan 25 14:47:09 2022 +0100

    xen/grant-table: Only decrement the refcounter when grant is fully unmapped
    
    The grant unmapping hypercall (GNTTABOP_unmap_grant_ref) is not a
    simple revert of the changes done by the grant mapping hypercall
    (GNTTABOP_map_grant_ref).
    
    Instead, it is possible to partially (or even not) clear some flags.
    This will leave the grant is mapped until a future call where all
    the flags would be cleared.
    
    XSA-380 introduced a refcounting that is meant to only be dropped
    when the grant is fully unmapped. Unfortunately, unmap_common() will
    decrement the refcount for every successful call.
    
    A consequence is a domain would be able to underflow the refcount
    and trigger a BUG().
    
    Looking at the code, it is not clear to me why a domain would
    want to partially clear some flags in the grant-table. But as
    this is part of the ABI, it is better to not change the behavior
    for now.
    
    Fix it by checking if the maptrack handle has been released before
    decrementing the refcounting.
    
    This is CVE-2022-23034 / XSA-394.
    
    Fixes: 9781b51efde2 ("gnttab: replace mapkind()")
    Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: 975a8fb45ca186b3476e5656c6ad5dad1122dbfd
    master date: 2022-01-25 13:25:49 +0100
---
 xen/common/grant_table.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index ee5748e74e..61d29df7bd 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -1402,7 +1402,12 @@ unmap_common(
     if ( put_handle )
         put_maptrack_handle(lgt, op->handle);
 
-    if ( rc == GNTST_okay && gnttab_need_iommu_mapping(ld) )
+    /*
+     * map_grant_ref() will only increment the refcount (and update the
+     * IOMMU) once per mapping. So we only want to decrement it once the
+     * maptrack handle has been put, alongside the further IOMMU update.
+     */
+    if ( put_handle && gnttab_need_iommu_mapping(ld) )
     {
         void **slot;
         union maptrack_node node;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.12

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.