Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-9]: src/sys/arch/xen/xen Apply patch, requested by jdolecek in ti...



details:   https://anonhg.NetBSD.org/src/rev/8ceec264421b
branches:  netbsd-9
changeset: 953046:8ceec264421b
user:      martin <martin%NetBSD.org@localhost>
date:      Wed Feb 24 08:05:08 2021 +0000

description:
Apply patch, requested by jdolecek in ticket 1213:

Do not panic Dom0 when hypervisor grant_table_op(GNTTABOP_copy) fails
in xennet(4) backend driver, that can be triggered by malicious or buggy
DomU via bad grant reference.

Part of fixes for XSA-362.

diffstat:

 sys/arch/xen/xen/xennetback_xenbus.c |  20 ++++++++++++--------
 1 files changed, 12 insertions(+), 8 deletions(-)

diffs (44 lines):

diff -r 4fa8404c0979 -r 8ceec264421b sys/arch/xen/xen/xennetback_xenbus.c
--- a/sys/arch/xen/xen/xennetback_xenbus.c      Tue Feb 23 18:55:29 2021 +0000
+++ b/sys/arch/xen/xen/xennetback_xenbus.c      Wed Feb 24 08:05:08 2021 +0000
@@ -1,4 +1,4 @@
-/*      $NetBSD: xennetback_xenbus.c,v 1.75.4.1 2021/02/23 18:50:21 martin Exp $      */
+/*      $NetBSD: xennetback_xenbus.c,v 1.75.4.2 2021/02/24 08:05:08 martin Exp $      */
 
 /*
  * Copyright (c) 2006 Manuel Bouyer.
@@ -25,7 +25,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xennetback_xenbus.c,v 1.75.4.1 2021/02/23 18:50:21 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xennetback_xenbus.c,v 1.75.4.2 2021/02/24 08:05:08 martin Exp $");
 
 #include "opt_xen.h"
 
@@ -1041,15 +1041,19 @@
                        bpf_mtap(ifp, m, BPF_D_OUT);
                }
                if (i != 0) {
-                       if (HYPERVISOR_grant_table_op(GNTTABOP_copy,
-                           xstart_gop_copy, i) != 0) {
-                               panic("%s: GNTTABOP_copy failed",
-                                   ifp->if_xname);
+                       int result;
+
+                       result = HYPERVISOR_grant_table_op(GNTTABOP_copy,
+                           xstart_gop_copy, i);
+                       if (result != 0) {
+                               printf("%s: GNTTABOP_copy failed %d",
+                                   ifp->if_xname, result);
                        }
 
                        for (j = 0; j < i; j++) {
-                               if (xstart_gop_copy[j].status != GNTST_okay) {
-                                       printf("%s GNTTABOP_copy[%d] %d\n",
+                               if (result < 0 || (result > 0 && j >= result)
+                                   || xstart_gop_copy[j].status != GNTST_okay){
+                                       printf("%s GNTTABOP_copy[%d] st %d\n",
                                            ifp->if_xname,
                                            j, xstart_gop_copy[j].status);
                                        printf("%s: req_prod %u req_cons "



Home | Main Index | Thread Index | Old Index