xen/pciback: Save xen_pci_op commands before processing it

xiaomi-sm8450/android_kernel_xiaomi_sm8450

Double fetch vulnerabilities that happen when a variable is
fetched twice from shared memory but a security check is only
performed the first time.

The xen_pcibk_do_op function performs a switch statements on the op->cmd
value which is stored in shared memory. Interestingly this can result
in a double fetch vulnerability depending on the performed compiler
optimization.

This patch fixes it by saving the xen_pci_op command before
processing it. We also use 'barrier' to make sure that the
compiler does not perform any optimization.

This is part of XSA155.

CC: stable@vger.kernel.org
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

This commit is contained in:

Konrad Rzeszutek Wilk

2015-11-16 12:40:48 -05:00

parent be69746ec1

commit 8135cf8b09

2 changed files with 15 additions and 1 deletions

									
										1

drivers/xen/xen-pciback/pciback.h
									
												View File
												
				@@ -37,6 +37,7 @@ struct xen_pcibk_device {

					struct xen_pci_sharedinfo *sh_info;

					unsigned long flags;

					struct work_struct op_work;

					struct xen_pci_op op;

				};

				struct xen_pcibk_dev_data {

xen/pciback: Save xen_pci_op commands before processing it

1 drivers/xen/xen-pciback/pciback.h Unescape Escape View File

1

drivers/xen/xen-pciback/pciback.h

View File