iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers
History
Ross Lagerwall 11e6919ae0 xen/netback: Fix buffer overrun triggered by unusual packet 
commit 534fc31d09b706a16d83533e16b5dc855caf7576 upstream.

It is possible that a guest can send a packet that contains a head + 18
slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots
to underflow in xenvif_get_requests() which then causes the subsequent
loop's termination condition to be wrong, causing a buffer overrun of
queue->tx_map_ops.

Rework the code to account for the extra frag_overflow slots.

This is CVE-2023-34319 / XSA-432.

Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area")
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Reviewed-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-08-08 19:49:19 +02:00
..
accessibility
acpi
ACPI: thermal: drop an always true check
2023-06-09 10:24:02 +02:00
amba
android
binder: fix UAF of ref->proc caused by race condition
2022-09-15 12:17:03 +02:00
ata
ata: libata-scsi: Use correct device no in ata_find_dev()
2023-06-09 10:24:02 +02:00
atm
atm: idt77252: fix kmemleak when rmmod idt77252
2023-04-05 11:15:34 +02:00
auxdisplay
base
x86/speculation: Add Gather Data Sampling mitigation
2023-08-08 19:49:18 +02:00
bcma
block
xen/blkfront: Only check REQ_FUA for writes
2023-06-21 15:39:57 +02:00
bluetooth
Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
2023-05-17 11:13:14 +02:00
bus
bus: imx-weim: fix branch condition evaluates to a garbage value
2023-04-05 11:15:38 +02:00
cdrom
char
ipmi: move message error checking to avoid deadlock
2023-06-28 10:15:28 +02:00
clk
clk: tegra20: fix gcc-7 constant overflow warning
2023-05-30 12:42:10 +01:00
clocksource
clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled
2023-01-18 11:30:06 +01:00
connector
cpufreq
cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
2023-01-18 11:30:06 +01:00
cpuidle
cpuidle: dt: Return the correct numbers of parsed idle states
2023-01-18 11:30:04 +01:00
crypto
crypto: crypto4xx - Call dma_unmap_page when done
2023-03-11 16:31:38 +01:00
dax
dca
devfreq
PM / devfreq: rk3399_dmc: Disable edev on remove()
2022-06-14 16:59:17 +02:00
dio
drivers: dio: fix possible memory leak in dio_init()
2023-01-18 11:30:23 +01:00
dma
dmaengine: pl330: rename _start to prevent build error
2023-06-09 10:23:55 +02:00
dma-buf
edac
EDAC/skx: Fix overflows on the DRAM row address mapping arrays
2023-05-17 11:13:09 +02:00
eisa
extcon
extcon: Modify extcon device to be created after driver data is set
2022-06-14 16:59:37 +02:00
firewire
firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region
2023-02-22 12:47:11 +01:00
firmware
firmware: arm_sdei: Fix sleep from invalid context BUG
2023-05-30 12:42:08 +01:00
fmc
fpga
fpga: bridge: fix kernel-doc parameter description
2023-05-17 11:13:15 +02:00
fsi
fsi: core: Check error number after calling ida_simple_get
2022-10-26 13:19:33 +02:00
gnss
gpio
gpio: davinci: Add irq chip flag to skip set wake
2023-04-20 12:04:38 +02:00
gpu
drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
2023-06-28 10:15:31 +02:00
hid
HID: wacom: Add error check to wacom_parse_and_register()
2023-06-28 10:15:30 +02:00
hsi
HSI: omap_ssi_core: Fix error handling in ssi_init()
2023-01-18 11:30:30 +01:00
hv
Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs
2023-06-28 10:15:28 +02:00
hwmon
hwmon: (scmi) Remove redundant pointer check
2023-06-09 10:24:03 +02:00
hwspinlock
hwtracing
coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
2023-05-30 12:42:15 +01:00
i2c
i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle
2023-06-28 10:15:32 +02:00
ide
idle
intel_idle: Disable IBRS during long idle
2022-11-23 07:53:45 +01:00
iio
iio: dac: build ad5758 driver when AD5758 is selected
2023-06-09 10:24:01 +02:00
infiniband
IB/isert: Fix incorrect release of isert connection
2023-06-21 15:39:58 +02:00
input
Input: psmouse - fix OOB access in Elantech protocol
2023-06-14 10:57:13 +02:00
iommu
iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe()
2023-01-18 11:30:55 +01:00
ipack
irqchip
irqchip/meson-gpio: Mark OF related data as maybe unused
2023-06-21 15:39:56 +02:00
isdn
mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
2023-01-18 11:30:32 +01:00
leds
lightnvm
lightnvm: disable the subsystem
2022-05-01 17:00:38 +02:00
macintosh
macintosh: via-pmu-led: requires ATA to be set
2023-05-17 11:13:18 +02:00
mailbox
mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
2023-06-09 10:24:01 +02:00
mcb
mcb-pci: Reallocate memory region to avoid memory overlapping
2023-05-30 12:42:09 +01:00
md
dm verity: fix error handling for check_at_most_once on FEC
2023-05-17 11:13:23 +02:00
media
media: cec: core: don't set last_initiator if tx in progress
2023-06-28 10:15:31 +02:00
memory
memory: of: Fix refcount leak bug in of_get_ddr_timings()
2022-10-26 13:19:28 +02:00
memstick
memstick: r592: Fix UAF bug in r592_remove due to race condition
2023-05-30 12:42:08 +01:00
message
scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
2023-05-30 12:42:09 +01:00
mfd
mfd: dln2: Fix memory leak in dln2_probe()
2023-05-30 12:42:10 +01:00
misc
vmci_host: fix a race condition in vmci_host_poll() causing GPF
2023-05-17 11:13:16 +02:00
mmc
mmc: usdhi60rol0: fix deferred probing
2023-06-28 10:15:30 +02:00
mtd
spi: cadence-quadspi: fix suspend-resume implementations
2023-05-17 11:13:17 +02:00
mux
net
xen/netback: Fix buffer overrun triggered by unusual packet
2023-08-08 19:49:19 +02:00
nfc
nfcsim.c: Fix error checking for debugfs_create_dir
2023-06-28 10:15:31 +02:00
ntb
NTB: ntb_tool: uninitialized heap data in tool_fn_write()
2022-08-25 11:15:39 +02:00
nubus
nvdimm
nvdimm: Fix badblocks clear off-by-one error
2022-07-07 17:35:09 +02:00
nvme
nvmet: avoid potential UAF in nvmet_req_complete()
2023-03-22 13:27:09 +01:00
nvmem
of
of: Fix modalias string generation
2023-05-17 11:13:16 +02:00
opp
oprofile
parisc
parisc: led: Fix potential null-ptr-deref in start_task()
2023-01-18 11:30:44 +01:00
parport
parport_pc: Avoid FIFO port location truncation
2022-11-25 17:40:23 +01:00
pci
PCI: hv: Fix a race condition bug in hv_pci_query_relations()
2023-06-28 10:15:28 +02:00
pcmcia
pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards
2022-06-14 16:59:31 +02:00
perf
perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init()
2023-01-18 11:30:02 +01:00
phy
phy: st: miphy28lp: use _poll_timeout functions for waits
2023-05-30 12:42:10 +01:00
pinctrl
pinctrl: meson-axg: add missing GPIOA_18 gpio group
2023-06-14 10:57:14 +02:00
platform
platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i
2023-05-17 11:13:26 +02:00
pnp
PNP: fix name memory leak in pnp_alloc_dev()
2023-01-18 11:30:05 +01:00
power
power: supply: Fix logic checking if system is running from battery
2023-06-21 15:39:56 +02:00
powercap
powercap: fix possible name leak in powercap_register_zone()
2023-03-11 16:31:36 +01:00
pps
ps3
ptp
ptp: replace snprintf with sysfs_emit
2022-04-15 14:15:00 +02:00
pwm
pwm: mtk-disp: Disable shadow registers before setting backlight values
2023-05-17 11:13:20 +02:00
rapidio
rapidio: devices: fix missing put_device in mport_cdev_open
2023-01-18 11:30:08 +01:00
ras
regulator
regulator: Fix error checking for debugfs_create_dir
2023-06-21 15:39:56 +02:00
remoteproc
remoteproc: qcom: wcnss: Fix handling of IRQs
2022-08-25 11:15:21 +02:00
reset
reset: tegra-bpmp: Restore Handle errors in BPMP response
2022-04-27 13:39:43 +02:00
rpmsg
rpmsg: glink: Avoid infinite loop on intent for missing channel
2023-03-11 16:31:45 +01:00
rtc
rtc: pm8xxx: fix set-alarm race
2023-03-11 16:31:48 +01:00
s390
s390/cio: unregister device when the only path is gone
2023-06-28 10:15:31 +02:00
sbus
scsi
scsi: dpt_i2o: Do not process completions with invalid addresses
2023-06-09 10:24:04 +02:00
sfi
sh
siox
siox: fix possible memory leak in siox_device_add()
2022-11-25 17:40:23 +01:00
slimbus
slimbus: stream: correct presence rate frequencies
2022-11-25 17:40:25 +01:00
sn
soc
ARM: ux500: do not directly dereference __iomem
2023-01-18 11:30:41 +01:00
soundwire
soundwire: bus_type: fix remove and shutdown support
2022-08-25 11:15:15 +02:00
spi
spi: qup: Request DMA before enabling clocks
2023-06-14 10:57:12 +02:00
spmi
spmi: Add a check for remove callback when removing a SPMI driver
2023-05-17 11:13:17 +02:00
ssb
staging
Revert "staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE"
2023-06-14 10:57:15 +02:00
target
scsi: target: iscsi: Prevent login threads from racing between each other
2023-06-28 10:15:30 +02:00
tc
tee
tee: add overflow check in register_shm_helper()
2022-08-25 11:15:48 +02:00
thermal
thermal: intel: powerclamp: Fix cur_state for multi package system
2023-03-11 16:32:02 +01:00
thunderbolt
thunderbolt: Use const qualifier for ring_interrupt_index
2023-04-05 11:15:35 +02:00
tty
serial: lantiq: add missing interrupt ack
2023-06-28 10:15:27 +02:00
uio
uio: uio_dmem_genirq: Fix deadlock between irq config and handling
2023-01-18 11:30:25 +01:00
usb
usb: gadget: udc: fix NULL dereference in remove()
2023-06-28 10:15:31 +02:00
uwb
vfio
vfio: platform: Do not pass return buffer to ACPI _RST method
2023-01-18 11:30:25 +01:00
vhost
vhost/vsock: Use kvmalloc/kvfree for larger packets.
2022-10-26 13:19:26 +02:00
video
fbcon: Fix null-ptr-deref in soft_cursor
2023-06-09 10:24:04 +02:00
virt
vboxguest: Do not use devm for irq
2022-08-25 11:15:43 +02:00
virtio
virtio_mmio: Restore guest page size on resume
2022-07-21 21:09:30 +02:00
visorbus
vlynq
vme
vme: Fix error not catched in fake_init()
2023-01-18 11:30:28 +01:00
w1
w1: fix WARNING after calling w1_process()
2023-02-06 07:49:40 +01:00
watchdog
watchdog: menz069_wdt: fix watchdog initialisation
2023-06-09 10:23:57 +02:00
xen
xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
2023-05-30 12:42:15 +01:00
zorro
Kconfig
Makefile