Commit dca922e0 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'xsa48x-7.1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip 

Pull xen fixes from Juergen Gross:
 "XSA-485 and XSA-487 security patches"

* tag 'xsa48x-7.1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/privcmd: fix double free via VMA splitting
  Buffer overflow in drivers/xen/sys-hypervisor.c
parents 3b3bea6d 24daca4f

drivers/xen/privcmd.c

+7 −0
Original line number Diff line number Diff line
@@ -1620,6 +1620,12 @@ static void privcmd_close(struct vm_area_struct *vma) 
	kvfree(pages);

}



static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)

{

	/* Forbid splitting, avoids double free via privcmd_close(). */

	return -EINVAL;

}



static vm_fault_t privcmd_fault(struct vm_fault *vmf)

{

	printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
@@ -1631,6 +1637,7 @@ static vm_fault_t privcmd_fault(struct vm_fault *vmf) 


static const struct vm_operations_struct privcmd_vm_ops = {

	.close = privcmd_close,

	.may_split = privcmd_may_split,

	.fault = privcmd_fault

};

drivers/xen/sys-hypervisor.c

+6 −2
Original line number Diff line number Diff line
@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr, char *buffer) 
			ret = sprintf(buffer, "<denied>");

		return ret;

	}

	if (ret > PAGE_SIZE)

		return -ENOSPC;



	buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);

	if (!buildid)
@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr, char *buffer) 


	buildid->len = ret;

	ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);

	if (ret > 0)

		ret = sprintf(buffer, "%s", buildid->buf);

	if (ret > 0) {

		/* Build id is binary, not a string. */

		memcpy(buffer, buildid->buf, ret);

	}

	kfree(buildid);



	return ret;