Date: Wed, 24 Feb 2021 01:42:50 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: ce9af53d0897 - releng/13.0 - xen-blkback: fix leak of grant maps on ring setup failure Message-ID: <202102240142.11O1goX9055713@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/13.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=ce9af53d0897a1cb926bd244f499fc09b1626b27 commit ce9af53d0897a1cb926bd244f499fc09b1626b27 Author: Roger Pau Monné <royger@FreeBSD.org> AuthorDate: 2021-01-20 18:40:51 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-02-24 01:42:35 +0000 xen-blkback: fix leak of grant maps on ring setup failure Multi page rings are mapped using a single hypercall that gets passed an array of grants to map. One of the grants in the array failing to map would lead to the failure of the whole ring setup operation, but there was no cleanup of the rest of the grant maps in the array that could have likely been created as a result of the hypercall. Add proper cleanup on the failure path during ring setup to unmap any grants that could have been created. This is part of XSA-361. Approved by: re (implicit, so) Approved by: so Security: CVE-2021-26932 Security: FreeBSD-SA-21:06.xen Security: XSA-361 Sponsored by: Citrix Systems R&D (cherry picked from commit 808d4aad1022a2a33d222663b0c9badde30b9d45) (cherry picked from commit ab3e1bd3c22a222520c23c2793cc39e3a23c9b46) --- sys/dev/xen/blkback/blkback.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/sys/dev/xen/blkback/blkback.c b/sys/dev/xen/blkback/blkback.c index 762f25302c00..678472cc2ab8 100644 --- a/sys/dev/xen/blkback/blkback.c +++ b/sys/dev/xen/blkback/blkback.c @@ -2893,10 +2893,31 @@ xbb_connect_ring(struct xbb_softc *xbb) ring_idx < xbb->ring_config.ring_pages; ring_idx++, gnt++) { if (gnt->status != 0) { + struct gnttab_unmap_grant_ref unmap[XBB_MAX_RING_PAGES]; + unsigned int i, j; + xbb->ring_config.va = 0; xenbus_dev_fatal(xbb->dev, EACCES, "Ring shared page mapping failed. " "Status %d.", gnt->status); + + /* Unmap everything to avoid leaking grant table maps */ + for (i = 0, j = 0; i < xbb->ring_config.ring_pages; + i++) { + if (gnts[i].status != GNTST_okay) + continue; + + unmap[j].host_addr = gnts[i].host_addr; + unmap[j].dev_bus_addr = gnts[i].dev_bus_addr; + unmap[j++].handle = gnts[i].handle; + } + if (j != 0) { + error = HYPERVISOR_grant_table_op( + GNTTABOP_unmap_grant_ref, unmap, j); + if (error != 0) + panic("Unable to unmap grants (%d)", + error); + } return (EACCES); } xbb->ring_config.handle[ring_idx] = gnt->handle;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202102240142.11O1goX9055713>