diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-02-24 10:36:40 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-02-24 10:37:15 +0000 |
| commit | ed9dc5651926188f0fe277a0e5a51961ee5545f1 (patch) | |
| tree | f0f00eea020daad87333991ddbb460ef90bf4504 /main/linux-grsec/xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch | |
| parent | 77696081b24054a74abaedb11b20b6ff44f39985 (diff) | |
| download | aports-ed9dc5651926188f0fe277a0e5a51961ee5545f1.tar.bz2 aports-ed9dc5651926188f0fe277a0e5a51961ee5545f1.tar.xz | |
main/linux-grsec: security fix (CVE-2015-8550, xsa-155). Fixes #5159
Diffstat (limited to 'main/linux-grsec/xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch')
| -rw-r--r-- | main/linux-grsec/xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/main/linux-grsec/xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch b/main/linux-grsec/xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch new file mode 100644 index 0000000000..e0e9577c77 --- /dev/null +++ b/main/linux-grsec/xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch @@ -0,0 +1,54 @@ +From 084b8c2e77f1ac07e4a3a121ff957c49a9379385 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com> +Date: Tue, 3 Nov 2015 16:34:09 +0000 +Subject: [PATCH 4/7] xen-blkback: only read request operation from shared ring + once +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A compiler may load a switch statement value multiple times, which could +be bad when the value is in memory shared with the frontend. + +When converting a non-native request to a native one, ensure that +src->operation is only loaded once by using READ_ONCE(). + +This is part of XSA155. + +CC: stable@vger.kernel.org +Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> +Signed-off-by: David Vrabel <david.vrabel@citrix.com> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +--- + drivers/block/xen-blkback/common.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h +index 68e87a0..c929ae2 100644 +--- a/drivers/block/xen-blkback/common.h ++++ b/drivers/block/xen-blkback/common.h +@@ -408,8 +408,8 @@ static inline void blkif_get_x86_32_req(struct blkif_request *dst, + struct blkif_x86_32_request *src) + { + int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST, j; +- dst->operation = src->operation; +- switch (src->operation) { ++ dst->operation = READ_ONCE(src->operation); ++ switch (dst->operation) { + case BLKIF_OP_READ: + case BLKIF_OP_WRITE: + case BLKIF_OP_WRITE_BARRIER: +@@ -456,8 +456,8 @@ static inline void blkif_get_x86_64_req(struct blkif_request *dst, + struct blkif_x86_64_request *src) + { + int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST, j; +- dst->operation = src->operation; +- switch (src->operation) { ++ dst->operation = READ_ONCE(src->operation); ++ switch (dst->operation) { + case BLKIF_OP_READ: + case BLKIF_OP_WRITE: + case BLKIF_OP_WRITE_BARRIER: +-- +2.1.0 + |