projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d683706) | patch
xen/pciback: Save xen_pci_op commands before processing it
authorKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Mon, 16 Nov 2015 17:40:48 +0000 (12:40 -0500)
committerWilly Tarreau <w@1wt.eu>
Mon, 6 Feb 2017 22:32:48 +0000 (23:32 +0100)
commitffb6bca6899f85c6c8b1609aeac3e004d18f8071
tree7d4873b21f90522457109b17b12e3249b1caec18tree | snapshot (tar.gz zip)
parentd6837064ef1e8d3edca4d4848e12e4e905f4039acommit | diff
xen/pciback: Save xen_pci_op commands before processing it

commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 upstream.

Double fetch vulnerabilities that happen when a variable is
fetched twice from shared memory but a security check is only
performed the first time.

The xen_pcibk_do_op function performs a switch statements on the op->cmd
value which is stored in shared memory. Interestingly this can result
in a double fetch vulnerability depending on the performed compiler
optimization.

This patch fixes it by saving the xen_pci_op command before
processing it. We also use 'barrier' to make sure that the
compiler does not perform any optimization.

This is part of XSA155.

Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: "Jan Beulich" <JBeulich@suse.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
drivers/xen/xen-pciback/pciback.h diff | blob | blame | history
drivers/xen/xen-pciback/pciback_ops.c diff | blob | blame | history
kernel source for telekom puls (alcatel/mediatek)