git: ab1cd885a619 - releng/11.4 - xen-blkback: fix leak of grant maps on ring setup failure

Mark Johnston markj at FreeBSD.org
Wed Feb 24 01:40:27 UTC 2021 

The branch releng/11.4 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=ab1cd885a619a0304e40fa07795ea9ddcb33134e

commit ab1cd885a619a0304e40fa07795ea9ddcb33134e
Author:     Roger Pau Monné <royger at FreeBSD.org>
AuthorDate: 2021-01-20 18:40:51 +0000
Commit:     Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-02-24 01:34:52 +0000

    xen-blkback: fix leak of grant maps on ring setup failure
    
    Multi page rings are mapped using a single hypercall that gets passed
    an array of grants to map. One of the grants in the array failing to
    map would lead to the failure of the whole ring setup operation, but
    there was no cleanup of the rest of the grant maps in the array that
    could have likely been created as a result of the hypercall.
    
    Add proper cleanup on the failure path during ring setup to unmap any
    grants that could have been created.
    
    This is part of XSA-361.
    
    Approved by:    so
    Security:       CVE-2021-26932
    Security:       FreeBSD-SA-21:06.xen
    Sponsored by:   Citrix Systems R&D
    
    (cherry picked from commit 808d4aad1022a2a33d222663b0c9badde30b9d45)
    (cherry picked from commit 89238773a37f4fc8f0bf3ccca3aa03874478f194)
---
 sys/dev/xen/blkback/blkback.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/sys/dev/xen/blkback/blkback.c b/sys/dev/xen/blkback/blkback.c
index 4b6eeb0cf62f..5fb5cdbe6ea1 100644
--- a/sys/dev/xen/blkback/blkback.c
+++ b/sys/dev/xen/blkback/blkback.c
@@ -2911,10 +2911,31 @@ xbb_connect_ring(struct xbb_softc *xbb)
 	     ring_idx < xbb->ring_config.ring_pages;
 	     ring_idx++, gnt++) {
 		if (gnt->status != 0) {
+			struct gnttab_unmap_grant_ref unmap[XBB_MAX_RING_PAGES];
+			unsigned int i, j;
+
 			xbb->ring_config.va = 0;
 			xenbus_dev_fatal(xbb->dev, EACCES,
 					 "Ring shared page mapping failed. "
 					 "Status %d.", gnt->status);
+
+			/* Unmap everything to avoid leaking grant table maps */
+			for (i = 0, j = 0; i < xbb->ring_config.ring_pages;
+			    i++) {
+				if (gnts[i].status != GNTST_okay)
+					continue;
+
+				unmap[j].host_addr = gnts[i].host_addr;
+				unmap[j].dev_bus_addr = gnts[i].dev_bus_addr;
+				unmap[j++].handle = gnts[i].handle;
+			}
+			if (j != 0) {
+				error = HYPERVISOR_grant_table_op(
+				    GNTTABOP_unmap_grant_ref, unmap, j);
+				if (error != 0)
+					panic("Unable to unmap grants (%d)",
+					    error);
+			}
 			return (EACCES);
 		}
 		xbb->ring_config.handle[ring_idx]   = gnt->handle;

More information about the dev-commits-src-all mailing list