xen/blkfront: fix leaking data in shared pages
commit 2f446ffe9d737e9a844b97887919c4fda18246e7 upstream. When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-26365, part of XSA-403. Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
		 Roger Pau Monne
					Roger Pau Monne
				
			
				
					committed by
					
						 Greg Kroah-Hartman
						Greg Kroah-Hartman
					
				
			
			
				
	
			
			
			 Greg Kroah-Hartman
						Greg Kroah-Hartman
					
				
			
						parent
						
							d341e5a754
						
					
				
				
					commit
					cfea428030
				
			| @@ -311,7 +311,7 @@ static int fill_grant_buffer(struct blkfront_ring_info *rinfo, int num) | ||||
| 			goto out_of_memory; | ||||
| 
 | ||||
| 		if (info->feature_persistent) { | ||||
| 			granted_page = alloc_page(GFP_NOIO); | ||||
| 			granted_page = alloc_page(GFP_NOIO | __GFP_ZERO); | ||||
| 			if (!granted_page) { | ||||
| 				kfree(gnt_list_entry); | ||||
| 				goto out_of_memory; | ||||
| @@ -1753,7 +1753,7 @@ static int setup_blkring(struct xenbus_device *dev, | ||||
| 	for (i = 0; i < info->nr_ring_pages; i++) | ||||
| 		rinfo->ring_ref[i] = GRANT_INVALID_REF; | ||||
| 
 | ||||
| 	sring = alloc_pages_exact(ring_size, GFP_NOIO); | ||||
| 	sring = alloc_pages_exact(ring_size, GFP_NOIO | __GFP_ZERO); | ||||
| 	if (!sring) { | ||||
| 		xenbus_dev_fatal(dev, -ENOMEM, "allocating shared ring"); | ||||
| 		return -ENOMEM; | ||||
| @@ -2293,7 +2293,8 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo) | ||||
| 
 | ||||
| 		BUG_ON(!list_empty(&rinfo->indirect_pages)); | ||||
| 		for (i = 0; i < num; i++) { | ||||
| 			struct page *indirect_page = alloc_page(GFP_KERNEL); | ||||
| 			struct page *indirect_page = alloc_page(GFP_KERNEL | | ||||
| 			                                        __GFP_ZERO); | ||||
| 			if (!indirect_page) | ||||
| 				goto out_of_memory; | ||||
| 			list_add(&indirect_page->lru, &rinfo->indirect_pages); | ||||
|   | ||||
		Reference in New Issue
	
	Block a user