Patch "xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()" has been added to the 5.18-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Tue, 05 Jul 2022 13:45:03 +0200

This is a note to let you know that I've just added the patch titled

    xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()

to the 5.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xen-netfront-restore-__skb_queue_tail-positioning-in-xennet_get_responses.patch
and it can be found in the queue-5.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Tue Jul  5 12:55:01 PM CEST 2022
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 1 Jul 2022 09:57:19 +0200
Subject: xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()

From: Jan Beulich <jbeulich@xxxxxxxx>

commit f63c2c2032c2e3caad9add3b82cc6e91c376fd26 upstream.

The commit referenced below moved the invocation past the "next" label,
without any explanation. In fact this allows misbehaving backends undue
control over the domain the frontend runs in, as earlier detected errors
require the skb to not be freed (it may be retained for later processing
via xennet_move_rx_slot(), or it may simply be unsafe to have it freed).

This is CVE-2022-33743 / XSA-405.

Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/net/xen-netfront.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1094,8 +1094,10 @@ static int xennet_get_responses(struct n
 			}
 		}
 		rcu_read_unlock();
-next:
+
 		__skb_queue_tail(list, skb);
+
+next:
 		if (!(rx->flags & XEN_NETRXF_more_data))
 			break;
 


Patches currently in stable-queue which might be from jbeulich@xxxxxxxx are

queue-5.18/xen-netfront-fix-leaking-data-in-shared-pages.patch
queue-5.18/xen-blkfront-fix-leaking-data-in-shared-pages.patch
queue-5.18/xen-netfront-restore-__skb_queue_tail-positioning-in-xennet_get_responses.patch






