diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-02-24 10:36:40 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-02-24 10:37:15 +0000 |
| commit | ed9dc5651926188f0fe277a0e5a51961ee5545f1 (patch) | |
| tree | f0f00eea020daad87333991ddbb460ef90bf4504 /main/linux-grsec/xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch | |
| parent | 77696081b24054a74abaedb11b20b6ff44f39985 (diff) | |
| download | aports-ed9dc5651926188f0fe277a0e5a51961ee5545f1.tar.bz2 aports-ed9dc5651926188f0fe277a0e5a51961ee5545f1.tar.xz | |
main/linux-grsec: security fix (CVE-2015-8550, xsa-155). Fixes #5159
Diffstat (limited to 'main/linux-grsec/xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch')
| -rw-r--r-- | main/linux-grsec/xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/main/linux-grsec/xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch b/main/linux-grsec/xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch new file mode 100644 index 0000000000..5496a09821 --- /dev/null +++ b/main/linux-grsec/xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch @@ -0,0 +1,57 @@ +From 4e2bc423e0cef0a42f93d989c0980301df1bd462 Mon Sep 17 00:00:00 2001 +From: David Vrabel <david.vrabel@citrix.com> +Date: Fri, 30 Oct 2015 14:58:08 +0000 +Subject: [PATCH 1/7] xen: Add RING_COPY_REQUEST() + +Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly +(i.e., by not considering that the other end may alter the data in the +shared ring while it is being inspected). Safe usage of a request +generally requires taking a local copy. + +Provide a RING_COPY_REQUEST() macro to use instead of +RING_GET_REQUEST() and an open-coded memcpy(). This takes care of +ensuring that the copy is done correctly regardless of any possible +compiler optimizations. + +Use a volatile source to prevent the compiler from reordering or +omitting the copy. + +This is part of XSA155. + +CC: stable@vger.kernel.org +Signed-off-by: David Vrabel <david.vrabel@citrix.com> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +--- +v2: Update about GCC and bitfields. +--- + include/xen/interface/io/ring.h | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h +index 7d28aff..7dc685b 100644 +--- a/include/xen/interface/io/ring.h ++++ b/include/xen/interface/io/ring.h +@@ -181,6 +181,20 @@ struct __name##_back_ring { \ + #define RING_GET_REQUEST(_r, _idx) \ + (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) + ++/* ++ * Get a local copy of a request. ++ * ++ * Use this in preference to RING_GET_REQUEST() so all processing is ++ * done on a local copy that cannot be modified by the other end. ++ * ++ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this ++ * to be ineffective where _req is a struct which consists of only bitfields. ++ */ ++#define RING_COPY_REQUEST(_r, _idx, _req) do { \ ++ /* Use volatile to force the copy into _req. */ \ ++ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \ ++} while (0) ++ + #define RING_GET_RESPONSE(_r, _idx) \ + (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp)) + +-- +2.1.0 + |