diff options
Diffstat (limited to 'main/xen/xsa71.patch')
| -rw-r--r-- | main/xen/xsa71.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/main/xen/xsa71.patch b/main/xen/xsa71.patch new file mode 100644 index 0000000000..45e52eb0f8 --- /dev/null +++ b/main/xen/xsa71.patch @@ -0,0 +1,43 @@ +From 23260e589e52ec83349f22198eab2331b5a1684e Mon Sep 17 00:00:00 2001 +From: Matthew Daley <mattjd@gmail.com> +Date: Wed, 25 Sep 2013 12:28:47 +1200 +Subject: [PATCH] xen_disk: mark ioreq as mapped before unmapping in error + case + +Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush") +modified the semantics of ioreq_{un,}map so that they are idempotent if +called when they're not needed (ie., twice in a row). However, it neglected +to handle the case where batch mapping is not being used (the default), and +one of the grants fails to map. In this case, ioreq_unmap will be called to +unwind and unmap any mappings already performed, but ioreq_unmap simply +returns due to the aforementioned change (the ioreq has not already been +marked as mapped). + +The frontend user can therefore force xen_disk to leak grant mappings, a +per-backend-domain limited resource. + +Fix by marking the ioreq as mapped before calling ioreq_unmap in this +situation. + +This is XSA-71 / CVE-2013-4375 + +Signed-off-by: Matthew Daley <mattjd@gmail.com> +--- + hw/xen_disk.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/qemu-xen/hw/xen_disk.c b/tools/qemu-xen/hw/xen_disk.c +index a402ac8..1cdfcbc 100644 +--- a/tools/qemu-xen/hw/xen_disk.c ++++ b/tools/qemu-xen/hw/xen_disk.c +@@ -299,6 +299,7 @@ static int ioreq_map(struct ioreq *ioreq) + xen_be_printf(&ioreq->blkdev->xendev, 0, + "can't map grant ref %d (%s, %d maps)\n", + refs[i], strerror(errno), ioreq->blkdev->cnt_map); ++ ioreq->mapped = 1; + ioreq_unmap(ioreq); + return -1; + } +-- +1.7.10.4 + |