| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Jan 2014 11:20:49 +0000
From: David Vrabel <david.vrabel@...rix.com>
To: Annie Li <Annie.li@...cle.com>
CC: <xen-devel@...ts.xen.org>, <netdev@...r.kernel.org>,
<wei.liu2@...rix.com>, <ian.campbell@...rix.com>
Subject: Re: [Xen-devel] [PATCH net-next] xen-netfront: clean up code in xennet_release_rx_bufs
On 09/01/14 22:48, Annie Li wrote:
> Current netfront only grants pages for grant copy, not for grant transfer, so
> remove corresponding transfer code and add receiving copy code in
> xennet_release_rx_bufs.
While netfront only supports a copying backend, I don't see anything
preventing the backend from retaining mappings to netfront's Rx buffers...
> Signed-off-by: Annie Li <Annie.li@...cle.com>
> ---
> drivers/net/xen-netfront.c | 60 ++-----------------------------------------
> 1 files changed, 3 insertions(+), 57 deletions(-)
>
> diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> index e59acb1..692589e 100644
> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -1134,78 +1134,24 @@ static void xennet_release_tx_bufs(struct netfront_info *np)
>
> static void xennet_release_rx_bufs(struct netfront_info *np)
> {
[...]
> - mfn = gnttab_end_foreign_transfer_ref(ref);
> + gnttab_end_foreign_access_ref(ref, 0);
... the gnttab_end_foreign_access_ref() may then fail and...
> gnttab_release_grant_reference(&np->gref_rx_head, ref);
> np->grant_rx_ref[id] = GRANT_INVALID_REF;
[...]
> + kfree_skb(skb);
... this could then potentially free pages that the backend still has
mapped. If the pages are then reused, this would leak information to
the backend.
Since only a buggy backend would result in this, leaking the skbs and
grant refs would be acceptable here. I would also print an error.
While checking blkfront for how it handles this, it also doesn't appear
to do the right thing either.
David
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists