[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.14] gnttab: correct locking on transitive grant copy error path

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Thu, 27 Oct 2022 18:24:23 +0000
Delivery-date: Thu, 27 Oct 2022 18:24:26 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 6e5608d1c50e0f91ed3226489d9591c70fa37c30
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Oct 11 15:42:48 2022 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Oct 11 15:42:48 2022 +0200

    gnttab: correct locking on transitive grant copy error path
    
    While the comment next to the lock dropping in preparation of
    recursively calling acquire_grant_for_copy() mistakenly talks about the
    rd == td case (excluded a few lines further up), the same concerns apply
    to the calling of release_grant_for_copy() on a subsequent error path.
    
    This is CVE-2022-33748 / XSA-411.
    
    Fixes: ad48fb963dbf ("gnttab: fix transitive grant handling")
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: 6e3aab858eef614a21a782a3b73acc88e74690ea
    master date: 2022-10-11 14:29:30 +0200
---
 xen/common/grant_table.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 34498d4652..576b1d34dc 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -2617,9 +2617,8 @@ acquire_grant_for_copy(
                      trans_domid);
 
         /*
-         * acquire_grant_for_copy() could take the lock on the
-         * remote table (if rd == td), so we have to drop the lock
-         * here and reacquire.
+         * acquire_grant_for_copy() will take the lock on the remote table,
+         * so we have to drop the lock here and reacquire.
          */
         active_entry_release(act);
         grant_read_unlock(rgt);
@@ -2656,11 +2655,25 @@ acquire_grant_for_copy(
                           act->trans_gref != trans_gref ||
                           !act->is_sub_page)) )
         {
+            /*
+             * Like above for acquire_grant_for_copy() we need to drop and then
+             * re-acquire the locks here to prevent lock order inversion 
issues.
+             * Unlike for acquire_grant_for_copy() we don't need to re-check
+             * anything, as release_grant_for_copy() doesn't depend on the 
grant
+             * table entry: It only updates internal state and the status 
flags.
+             */
+            active_entry_release(act);
+            grant_read_unlock(rgt);
+
             release_grant_for_copy(td, trans_gref, readonly);
-            fixup_status_for_copy_pin(rd, act, status);
             rcu_unlock_domain(td);
+
+            grant_read_lock(rgt);
+            act = active_entry_acquire(rgt, gref);
+            fixup_status_for_copy_pin(rd, act, status);
             active_entry_release(act);
             grant_read_unlock(rgt);
+
             put_page(*page);
             *page = NULL;
             return ERESTART;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.14

Prev by Date: [xen stable-4.14] xen/arm: Allocate and free P2M pages from the P2M pool
Next by Date: [xen stable-4.14] libxl/Arm: correct xc_shadow_control() invocation to fix build
Previous by thread: [xen stable-4.14] xen/arm: Allocate and free P2M pages from the P2M pool
Next by thread: [xen stable-4.14] libxl/Arm: correct xc_shadow_control() invocation to fix build
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.