diff options
author | Jan Beulich <jbeulich@suse.com> | 2020-12-15 14:47:28 +0100 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2020-12-15 14:47:28 +0100 |
commit | 6ea37c69c7d3948d9bb6f217235ae8bd767e8c46 (patch) | |
tree | 86f29de4b9fc7dd7cbf0af1c2bcdce8877f519fb | |
parent | 136ac884e621a74b6b6168f474ae751a0ec690ab (diff) | |
download | xen-staging-4.10.tar.gz |
evtchn/FIFO: add 2nd smp_rmb() to evtchn_fifo_word_from_port()staging-4.10stable-4.10
Besides with add_page_to_event_array() the function also needs to
synchronize with evtchn_fifo_init_control() setting both d->evtchn_fifo
and (subsequently) d->evtchn_port_ops.
This is XSA-359 / CVE-2020-29571.
Reported-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
master commit: dc8b01affd7f6f36d34c3854f51df0847df3ec0e
master date: 2020-12-15 13:42:51 +0100
-rw-r--r-- | xen/common/event_fifo.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c index ab9e496696..454ca40743 100644 --- a/xen/common/event_fifo.c +++ b/xen/common/event_fifo.c @@ -34,6 +34,13 @@ static inline event_word_t *evtchn_fifo_word_from_port(const struct domain *d, { unsigned int p, w; + /* + * Callers aren't required to hold d->event_lock, so we need to synchronize + * with evtchn_fifo_init_control() setting d->evtchn_port_ops /after/ + * d->evtchn_fifo. + */ + smp_rmb(); + if ( unlikely(port >= d->evtchn_fifo->num_evtchns) ) return NULL; @@ -590,6 +597,10 @@ int evtchn_fifo_init_control(struct evtchn_init_control *init_control) if ( rc < 0 ) goto error; + /* + * This call, as a side effect, synchronizes with + * evtchn_fifo_word_from_port(). + */ rc = map_control_block(v, gfn, offset); if ( rc < 0 ) goto error; |