xen/scsifront: don't use gnttab_query_foreign_access() for mapped status
It isn't enough to check whether a grant is still being in use by calling gnttab_query_foreign_access(), as a mapping could be realized by the other side just after having called that function. In case the call was done in preparation of revoking a grant it is better to do so via gnttab_try_end_foreign_access() and check the success of that operation instead. This is CVE-2022-23038 / part of XSA-396. Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com> Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> --- V2: - use gnttab_try_end_foreign_access()
This commit is contained in:
parent
31185df7e2
commit
33172ab50a
@ -233,12 +233,11 @@ static void scsifront_gnttab_done(struct vscsifrnt_info *info,
|
||||
return;
|
||||
|
||||
for (i = 0; i < shadow->nr_grants; i++) {
|
||||
if (unlikely(gnttab_query_foreign_access(shadow->gref[i]))) {
|
||||
if (unlikely(!gnttab_try_end_foreign_access(shadow->gref[i]))) {
|
||||
shost_printk(KERN_ALERT, info->host, KBUILD_MODNAME
|
||||
"grant still in use by backend\n");
|
||||
BUG();
|
||||
}
|
||||
gnttab_end_foreign_access(shadow->gref[i], 0, 0UL);
|
||||
}
|
||||
|
||||
kfree(shadow->sg);
|
||||
|
Loading…
Reference in New Issue
Block a user